search for: ssl_cert_username_field

Hello, Does dovecot support the subject Alternative Name email value [1] as ssl_cert_username_field? If so, how should it be specified in the configuration? Thanks. [1] http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ -- Nicolas

...aster/master-service-ssl-settings.h | 1 + src/login-common/ssl-proxy-openssl.c | 15 ++++++++++++++- 4 files changed, 18 insertions(+), 1 deletion(-) --- a/src/config/all-settings.c +++ b/src/config/all-settings.c @@ -308,6 +308,7 @@ struct master_service_ssl_settings { const char *ssl_cert_username_field; const char *ssl_crypto_device; const char *ssl_options; + const char *ssl_lowest_version; bool ssl_verify_client_cert; bool ssl_require_crl; --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -26,6 +26,7 @@ static const struct setting...

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username field. This...

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username field. This...

...iv> </blockquote> <blockquote type="cite"> <div> * CVE-2019-3814: If imap/pop3/managesieve/submission client has </div> <div> trusted certificate with missing username field </div> <div> (ssl_cert_username_field), under some configurations Dovecot </div> <div> mistakenly trusts the username provided via authentication instead </div> <div> of failing. </div> <div> * ssl_cert_username_field setting was ignored with ext...

On 27 August 2017 08:32:06 CEST, Timo Sirainen <tss at iki.fi> wrote: >> DEF(SET_STR, ssl_protocols), >> DEF(SET_STR, ssl_cert_username_field), >> DEF(SET_STR, ssl_crypto_device), >> + DEF(SET_STR, ssl_lowest_version), > >Does it really require a new setting? Couldn't it use the existing >ssl_protocols setting? You need to set a minimal version. SSL_PROTOLS can be set tls1.0 and tls1.2 which avoids tls1.1. Not s...

...Aki Tuomi wrote: > > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has > trusted certificate with missing username field > (ssl_cert_username_field), under some configurations Dovecot > mistakenly trusts the username provided via authentication instead > of failing. > * ssl_cert_username_field setting was ignored with external SMTP AUTH, > because none of the MTAs (Postfix, Exim) currently send the >...

...D (while NID is obtained with OBJ_txt2nid). If I were to add this, it's bound to make the code a little bit more complicated since SAN's can't be retrieved in the same way. So far in terms of options I have, I can see the following: 1. Create a distinct configuration option for the ssl_cert_username_field (i.e. specify something like "sanrfc822Name" to have Dovecot extract the username from the designated alternative name). 2. Make the current code fail-over to rfc822Name SAN if emailAddress is provided for ssl_cert_username (less invasion in code, but less flexibility as well). Any i...

.... If there is no additional password verification, this allows the attacker to login as anyone else in the system. This affects only installations using: auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes Attacker must also have access to a valid trusted certificate without the ssl_cert_username_field in it. The default is commonName, which almost certainly exists in all certificates. This could happen for example if ssl_cert_username_field is a field that normally doesn't exist, and attacker has access to a web server's certificate (and key), which is signed with the same CA. Attack ca...

...ttps://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This...

...ttps://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This...

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username field. This...

...ttps://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username field. This...

...schreef Aki Tuomi: > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has > ??? ? trusted certificate with missing username field > ??? ? (ssl_cert_username_field), under some configurations Dovecot > ??? ? mistakenly trusts the username provided via authentication instead > ??? ? of failing. > ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, > ??? ? because none of the MTAs (Postfix, Exim) currently send the > ?...

...ttps://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username field. This...

...M, Aki Tuomi wrote: > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has > ??? ? trusted certificate with missing username field > ??? ? (ssl_cert_username_field), under some configurations Dovecot > ??? ? mistakenly trusts the username provided via authentication instead > ??? ? of failing. > ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, > ??? ? because none of the MTAs (Postfix, Exim) currently send the > ?...

...https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz >>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig >>> ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has >>> ??? ? trusted certificate with missing username field >>> ??? ? (ssl_cert_username_field), under some configurations Dovecot >>> ??? ? mistakenly trusts the username provided via authentication >>> instead >>> ??? ? of failing. >>> ??? * ssl_cert_username_field setting was ignored with external SMTP >>> AUTH, >>> ??? ? because non...

...schreef Aki Tuomi: > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has > ??? ? trusted certificate with missing username field > ??? ? (ssl_cert_username_field), under some configurations Dovecot > ??? ? mistakenly trusts the username provided via authentication instead > ??? ? of failing. > ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, > ??? ? because none of the MTAs (Postfix, Exim) currently send the > ?...

...gt; https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz >> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig >> >> ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has >> ??? ? trusted certificate with missing username field >> ??? ? (ssl_cert_username_field), under some configurations Dovecot >> ??? ? mistakenly trusts the username provided via authentication >> instead >> ??? ? of failing. >> ??? * ssl_cert_username_field setting was ignored with external SMTP >> AUTH, >> ??? ? because none of the MTAs (Postf...

...ault_setti .ssl_key = "", .ssl_key_password = "", .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", - .ssl_protocols = "!SSLv2", +#ifdef SSL_TXT_SSLV2 + .ssl_protocols = "!SSLv2 !SSLv3", +#else + .ssl_protocols = "!SSLv3", +#endif .ssl_cert_username_field = "commonName", .ssl_crypto_device = "", .ssl_verify_client_cert = FALSE, -- 2.10.1