Hristo Venev
2021-Mar-26 23:14 UTC
ssl_verify_client_cert=yes does not require a client certificate
Hello,
I am trying to set up LMTP over TLS. I have set ssl_verify_client_cert:
protocol lmtp {
ssl_ca = </etc/cert/mail/ca.pem
ssl_cert = </etc/cert/mail/host.pem
ssl_key = </etc/cert/mail/host.key
ssl_verify_client_cert = yes
}
However, clients can still connect without presenting a valid
certificate.
In openssl_iostream_set() the flags given to SSL_set_verify() are
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE. For a certificate to be
required, the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag also needs to be
set:
diff --git a/src/lib-ssl-iostream/iostream-openssl.c
b/src/lib-ssl-iostream/iostream-openssl.c
index 5d11526f1..d8df96398 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -235,7 +235,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
if (ssl_io->ctx->client_ctx)
verify_flags = SSL_VERIFY_NONE;
else
- verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+ verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_set_verify(ssl_io->ssl, verify_flags,
openssl_iostream_verify_client_cert);
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 858 bytes
Desc: This is a digitally signed message part
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210327/3f5f8726/attachment.sig>
Sebastian
2021-Mar-26 23:17 UTC
Sv: ssl_verify_client_cert=yes does not require a client certificate [invalid signature!]
What I have understand, you are able in configuration to reject transactions
with those that doesn't present a valid certificate.
Ergo, they can connect, but they can't do anything.
-----Ursprungligt meddelande-----
Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r
Hristo Venev
Skickat: den 27 mars 2021 00:16
Till: dovecot at dovecot.org
?mne: ssl_verify_client_cert=yes does not require a client certificate [invalid
signature!]
Hello,
I am trying to set up LMTP over TLS. I have set ssl_verify_client_cert:
protocol lmtp {
ssl_ca = </etc/cert/mail/ca.pem
ssl_cert = </etc/cert/mail/host.pem
ssl_key = </etc/cert/mail/host.key
ssl_verify_client_cert = yes
}
However, clients can still connect without presenting a valid certificate.
In openssl_iostream_set() the flags given to SSL_set_verify() are
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE. For a certificate to be required, the
SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag also needs to be
set:
diff --git a/src/lib-ssl-iostream/iostream-openssl.c
b/src/lib-ssl-iostream/iostream-openssl.c
index 5d11526f1..d8df96398 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -235,7 +235,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
if (ssl_io->ctx->client_ctx)
verify_flags = SSL_VERIFY_NONE;
else
- verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+ verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
+SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_set_verify(ssl_io->ssl, verify_flags,
openssl_iostream_verify_client_cert);
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5715 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210327/d85ea188/attachment.p7s>