Heiko Schlittermann
2015-Oct-13 20:33 UTC
TLS communication director -> backend with X.509 cert checks?
Timo Sirainen <tss at iki.fi> (Di 13 Okt 2015 21:36:40 CEST): ?> > I see: > > > > a) pass the host *names* to the director too, for CN verification > > purpose > > > > May be in struct mail_host could be a field for the original > > hostname we used to obtain the adress(es)? > > Does the attached patch work? Compiles, but untested.I'm about to test it. Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20151013/dd1fd0e3/attachment.sig>
Heiko Schlittermann
2015-Oct-13 21:34 UTC
TLS communication director -> backend with X.509 cert checks?
Hi Timo, Heiko Schlittermann <hs at schlittermann.de> (Di 13 Okt 2015 22:33:23 CEST):> > Does the attached patch work? Compiles, but untested. > I'm about to test it.It seems to update the struct mail_host, but it looks as if the data in mail_host do not propagate down to login_proxy_new(). In other words, in login_proxy_new() set->host contains the IP address, correctly, because the director choose it, but where can I find the hostname there? And we need a way to pass the host*name* further, to the SSL verifcation step, don't we? Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20151013/7c7f18a3/attachment.sig>
Timo Sirainen
2015-Oct-13 21:49 UTC
TLS communication director -> backend with X.509 cert checks?
On 14 Oct 2015, at 00:34, Heiko Schlittermann <hs at schlittermann.de> wrote:> > Hi Timo, > > Heiko Schlittermann <hs at schlittermann.de> (Di 13 Okt 2015 22:33:23 CEST): >>> Does the attached patch work? Compiles, but untested. >> I'm about to test it. > > It seems to update the struct mail_host, but it looks as if the data > in mail_host do not propagate down to login_proxy_new(). > > In other words, in login_proxy_new() set->host contains the IP address, > correctly, because the director choose it, but where can I find the > hostname there? And we need a way to pass the host*name* further, to the > SSL verifcation step, don't we?Proxying in general does check that hostname matches the SSL certificate, because both the hostname and IP address are sent to login process. So it should work in a way that host=<hostname> and hostip=<ip> is sent. I thought my patch did that.. Normally auth_debug=yes would be enough to debug this, but this happens between director and login process so I don't think it's going to be of much use. login process's client_auth_parse_args() is what should see these two parameters correctly. I can check this further tomorrow.
Maybe Matching Threads
- TLS communication director -> backend with X.509 cert checks?
- TLS communication director -> backend with X.509 cert checks?
- TLS communication director -> backend with X.509 cert checks?
- TLS communication director -> backend with X.509 cert checks?
- TLS communication director -> backend with X.509 cert checks?