Heiko Schlittermann
2015-Oct-13 22:46 UTC
TLS communication director -> backend with X.509 cert checks?
Heiko Schlittermann <hs at schlittermann.de> (Mi 14 Okt 2015 00:10:50 CEST):> Timo Sirainen <tss at iki.fi> (Di 13 Okt 2015 23:49:20 CEST): > ? > > > > Proxying in general does check that hostname matches the SSL certificate, because both the hostname and IP address are sent to login process. So it should work in a way that host=<hostname> and hostip=<ip> is sent. I thought my patch did that.. Normally auth_debug=yes would be enough to debug this, but this happens between director and login process so I don't think it's going to be of much use. login process's client_auth_parse_args() is what should see these two parameters correctly. > > > > I can check this further tomorrow. > > I've put an i_warning("*** %s: ...", __FUNCTION__, ...) into several places. > > Oct 14 00:02:33 director1 dovecot: director: Warning: *** login_host_callback: OK#0112#011user=foo#011proxy#011ssl=yes#011nopassword=y#011lip=2001:x.y:f33::5:1#011lport=993#011pass=x#011proxy_refresh=450#011host=2001:x.y:f33::5:fe > > Here it seems that the director doesn't send it's knowledge about the > hostname. > > Here some other output, to show that the host list contains names and addresses: > > Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added backends.<domain> [2001:x.y:f33::5:fe] > Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added backends.<domain> [2001:x.y:f33::5:ff] > Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added backends.<domain> [149.x.y.103] > Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added backends.<domain> [149.x.y.102]And if I add -D to the director service, I can see "Debug: request <hash> refreshed timeout to ?", but never I see "Debug: request <hash> added". And from what I understand this would be the place where the mail_host info comes into the game. But probably I do not understand how director_request_continue() is supposed to work. Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20151014/f19b68f0/attachment-0001.sig>
Heiko Schlittermann
2015-Oct-13 23:10 UTC
TLS communication director -> backend with X.509 cert checks?
Heiko Schlittermann <hs at schlittermann.de> (Mi 14 Okt 2015 00:46:11 CEST): ?> > And if I add -D to the director service, I can see "Debug: request <hash> refreshed timeout to ?", > but never I see "Debug: request <hash> added". And from what I > understand this would be the place where the mail_host info comes into > the game. > > But probably I do not understand how director_request_continue() is > supposed to work.Ah, the information comes from the other director running. The other one is using an unpatched version of dovecot. If I shutdown the other director instance, it seems to work. Tomorrow I'll do more testing. Good work, thank you. BTW: I've put there an IPv6 address into the director_servers list (not an DNS name). director_servers = 2001:x:y:f33::5:1 ? inet_listener { address = :: port = 9090 } it doesn't recognize itself: Oct 14 01:06:13 director1 dovecot: director: Fatal: director_servers doesn't list ourself director_servers = 2001:x:y:f33::5:1:9090 ? inet_listener { address = :: port = 9090 } works, but is ambigous, isn't it? Shouldn't we use [2001:x:y:f33::5:1]:9090 in such a case? But: *Unknown director host: [2001:x:y:f33::5:1]* Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20151014/b7762112/attachment.sig>
Heiko Schlittermann
2015-Oct-14 21:28 UTC
TLS communication director -> backend with X.509 cert checks?
Hi Timo Heiko Schlittermann <hs at schlittermann.de> (Mi 14 Okt 2015 01:10:20 CEST): ?> Ah, the information comes from the other director running. The other one > is using an unpatched version of dovecot.Your patch for backend-certificate verification works. Thank you for the good and fast work. Is there any chance that this will make it into Dovecot's next release? BTW: The ambiguity of 2001:db8::9090 remains. Shouldn't you allow [2001:db8::]? resp [2001:db8::9090]? resp. [2001:db8::]:9090? for such cases? (In case one want's to use IPv6 addresses instead of hostnames in the director_servers option. (And probably in other places too.)) ?) Address ?) Address:Port Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20151014/657d7b22/attachment.sig>
Seemingly Similar Threads
- TLS communication director -> backend with X.509 cert checks?
- TLS communication director -> backend with X.509 cert checks?
- TLS communication director -> backend with X.509 cert checks?
- TLS communication director -> backend with X.509 cert checks?
- TLS communication director -> backend with X.509 cert checks?