search for: nid_commonnam

Hi, please have a look at the attached patch for dovecot-1.0.3 These patch modifies ssl_proxy_get_peer_name() to use the NID_x500UniqueIdentifier as username instead of NID_commonName. The reason is, that the Common Name doesn't have to be unique for the whole mailserver. Example; in germany a lot of people got the first name "Andreas" and the last name "Schulz". Therefore a lot of certificates exists with subjects like this: C=DE,O=ABC,CN=Andreas Schu...

Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet). Expected behavior: Stop the SSL (the client doesn't have a cert installed) Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird). My bad? Please advise. Q2) The next step, if dovecot blocks

..., buf, sizeof(buf)); - name = t_strndup(buf, sizeof(buf)); + /* HJHJ */ + /* the X509_N_gtbN can return -1 without 0-terminating buf */ + /* if the call succeeds buf is 0-terminated (openssl 0.9.7e / 0.9.8b src) */ + buf[0] = '\0'; + if( X509_NAME_get_text_by_NID(X509_get_subject_name(x509),NID_commonName,buf,sizeof(buf)) < 0 ) + { buf[0] = '\0'; } + name = t_strndup(buf, sizeof(buf) ); X509_free(x509); - + /* HJHJ */ + return *name == '\0' ? NULL : name; } @@ -582,10 +588,22 @@ proxy = SSL_get_ex_data(ssl, extdata_index); proxy->cert_received = TRUE; + + /* HJ...