search for: ssl_require_crl

Displaying 20 results from an estimated 77 matches for "ssl_require_crl".

2013 Apr 07
1
ssl_require_crl does not work as expected
Hi I'm trying to use dovecot with client certificates. We produce our certificates with our on CA and we do NOT use certificate revocation lists. So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution neither in the wiki nor somewhere else, so I finally started to read the source. My impression is that openssl will always try to use CRLs. If "ssl_require_crl = no" dovecot will use CRLs but tries to ignore openssl error codes X509_...
2015 Sep 21
4
Dovecot proxy ignores trusted root certificate store
On Mon, 21 Sep 2015, Edgar Pettijohn wrote: > doveconf -n? doveconf -n|grep ssl should suffice: ssl = required ssl_ca = </usr/local/share/certs/ca-root-nss.crt ssl_cert = </path/to/my/file.pem ssl_key = </path/to/my/file.pem ssl_require_crl = no I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for. It happens to work, at least for now, but this is not a fix. ssl_client_ca_file should be used instead, but it has no effect in proxy mode:...
2017 Aug 26
3
[PATCH] Add support for lower TLS version than default
...n(-) --- a/src/config/all-settings.c +++ b/src/config/all-settings.c @@ -308,6 +308,7 @@ struct master_service_ssl_settings { const char *ssl_cert_username_field; const char *ssl_crypto_device; const char *ssl_options; + const char *ssl_lowest_version; bool ssl_verify_client_cert; bool ssl_require_crl; --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -26,6 +26,7 @@ static const struct setting_define maste DEF(SET_STR, ssl_protocols), DEF(SET_STR, ssl_cert_username_field), DEF(SET_STR, ssl_crypto_device), + DEF(SET_STR, ssl_lowest_vers...
2015 Sep 22
0
Dovecot proxy ignores trusted root certificate store
...|grep ssl should suffice: > > ssl = required shouldn't it be: ssl = yes I was only aware of the choice of yes or no here, but I could be wrong. > ssl_ca = </usr/local/share/certs/ca-root-nss.crt > ssl_cert = </path/to/my/file.pem > ssl_key = </path/to/my/file.pem > ssl_require_crl = no > > I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a > temporary workaround, even though this is not what ssl_ca is for. It > happens to work, at least for now, but this is not a fix. > > ssl_client_ca_file should be used instead, but it h...
2015 Sep 21
2
Dovecot proxy ignores trusted root certificate store
On Mon, 21 Sep 2015, Andrew McN wrote: >> http://wiki2.dovecot.org/Replication >> >> (quote) >> The client must be able to verify that the SSL certificate is valid, so >> you need to specify the directory containing valid SSL CA roots: >> >> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu >> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
2017 Jan 09
1
panic when doveadm sieve put between multiple hosts
...rector } service pop3-login { executable = pop3-login director } ssl = required ssl_ca = </etc/pki/CA/ca-cert-***.pem ssl_cert = </etc/pki/tls/certs/dovecot.cert ssl_client_ca_file = </etc/pki/CA/ca-cert-***.pem ssl_key = </etc/pki/tls/private/dovecot.key ssl_protocols = !SSLv2 !SSLv3 ssl_require_crl = no userdb { driver = passwd } protocol doveadm { auth_socket_path = director-userdb } protocol sieve { passdb { args = proxy=y nopassword=y starttls=any-cert driver = static name = } } local 10.1.11.0/24 { doveadm_password = # hidden, use -P to show it } backend-machine $...
2018 Feb 01
2
Why does dovecot reject password when authorizing by a certificate?
...r = vmail ? } } service imap-login { ? inet_listener imaps { ? ? ssl = yes ? } } ssl_ca = </etc/ssl/cacert.pem ssl_cert = </etc/ssl/certs/dovecot.pem ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1 ssl_require_crl = no ssl_verify_client_cert = yes userdb { ? args = /usr/local/etc/dovecot/users ? driver = passwd-file } verbose_ssl = yes -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180201/8bfd560f/attachment-0001.htm...
2020 Nov 15
1
no shared cipher openssl
...e tried the good cert I have for https and I used the Dovecot.org script to generate a self-signed certificate. 10-ssl.conf ## SSL settings #ssl = required ssl = yes #ssl = no ssl_cert = </etc/pki/dovecot/certs/mydomain.com.crt ssl_key = </etc/pki/dovecot/private/mydomain.com.key #ssl_ca = #ssl_require_crl = yes #ssl_client_ca_dir = #ssl_client_ca_file = #ssl_verify_client_cert = no #ssl_cert_username_field = commonName #ssl_dh_parameters_length = 1024 #ssl_protocols = !SSLv3 # SSL ciphers to use # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:...
2018 Feb 01
2
Why does dovecot reject password when authorizing by a certificate?
...r = vmail ? } } service imap-login { ? inet_listener imaps { ? ? ssl = yes ? } } ssl_ca = </etc/ssl/cacert.pem ssl_cert = </etc/ssl/certs/dovecot.pem ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1 ssl_require_crl = no ssl_verify_client_cert = yes userdb { ? args = /usr/local/etc/dovecot/users ? driver = passwd-file } verbose_ssl = yes -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180201/0dbcd8b2/attachment.html&gt...
2016 Mar 10
2
Client-initiated secure renegotiation
...host:993` I still can successfully renegotiate by > passing a single 'R'. Are you use good ssl_cipher_list (https://wiki.mozilla.org/Security/Server_Side_TLS)? My config ## Service options # 10-ssl ssl = yes ssl_cert = </etc/pki/tls/certs/.crt ssl_key = </etc/pki/tls/private/.key ssl_require_crl = no ssl_ca = </etc/pki/tls/cert.pem ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-A...
2016 Oct 30
2
Defining INDEX target to other location than maildir seems to have no effect.
...GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_key = </etc/ssl/censored.hostname.com/censored.hostname.com.key ssl_protocols = !SSLv2 !SSLv3 ssl_require_crl = no userdb { args = uid=2000 gid=2000 home=/storage/vmail/%d/%n allow_all_users=yes driver = static } protocol lmtp { mail_plugins = " quota sieve" } protocol lda { mail_plugins = " sieve quota" } protocol imap { imap_client_workarounds = tb-extra-mailbox-sep...
2018 May 23
0
v2.2.36 released
...This is the last planned v2.2.x release. We didn't fix everything reported (especially build changes) to try to minimize any unexpected breakages. v2.3.2 will be out with a lot of fixes hopefully in a few weeks. That will start becoming the recommended version to run then. * login-proxy: If ssl_require_crl=no, allow revoked certificates. Also don't do CRL checks for incoming client certificates. * stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening /proc/self/io. This may still cause security problems if the process is ptrace()d at the same time. Instead, open it wh...
2015 Sep 22
0
Dovecot proxy ignores trusted root certificate store
...> > On Mon, 21 Sep 2015, Edgar Pettijohn wrote: > >> doveconf -n? > > doveconf -n|grep ssl should suffice: > > ssl = required > ssl_ca = </usr/local/share/certs/ca-root-nss.crt > ssl_cert = </path/to/my/file.pem > ssl_key = </path/to/my/file.pem > ssl_require_crl = no > > I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for. It happens to work, at least for now, but this is not a fix. > > ssl_client_ca_file should be used instead, but it has no effe...
2016 Nov 20
0
doveadm service: verify client cert
...ng: service doveadm { inet_listener { port = 5001 ssl = yes } } At the same time, I would like to verify client certificates for connections goes to port 5001. I am trying to do the following, but it doesn't work: protocol doveadm { ssl_require_crl = yes ssl_verify_client_cert = yes } How could I achieve required behavior?
2018 May 23
0
v2.2.36 released
...This is the last planned v2.2.x release. We didn't fix everything reported (especially build changes) to try to minimize any unexpected breakages. v2.3.2 will be out with a lot of fixes hopefully in a few weeks. That will start becoming the recommended version to run then. * login-proxy: If ssl_require_crl=no, allow revoked certificates. Also don't do CRL checks for incoming client certificates. * stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening /proc/self/io. This may still cause security problems if the process is ptrace()d at the same time. Instead, open it wh...
2012 May 07
0
v2.1.6 released
...t.org/releases/2.1/dovecot-2.1.6.tar.gz http://dovecot.org/releases/2.1/dovecot-2.1.6.tar.gz.sig * Session ID is now included by default in auth and login process log lines. It can be added to mail processes also by adding %{session} to mail_log_prefix. + Added ssl_require_crl setting, which specifies if CRL check must be successful when verifying client certificates. + Added mail_shared_explicit_inbox setting to specify if a shared INBOX should be accessible as "shared/$user" or "shared/$user/INBOX". - v2.1.5: Usin...
2012 May 07
0
v2.1.6 released
...t.org/releases/2.1/dovecot-2.1.6.tar.gz http://dovecot.org/releases/2.1/dovecot-2.1.6.tar.gz.sig * Session ID is now included by default in auth and login process log lines. It can be added to mail processes also by adding %{session} to mail_log_prefix. + Added ssl_require_crl setting, which specifies if CRL check must be successful when verifying client certificates. + Added mail_shared_explicit_inbox setting to specify if a shared INBOX should be accessible as "shared/$user" or "shared/$user/INBOX". - v2.1.5: Usin...
2018 Feb 01
0
Why does dovecot reject password when authorizing by a certificate?
...er imaps { > ? ? ssl = yes > ? } > } > ssl_ca = </etc/ssl/cacert.pem > ssl_cert = </etc/ssl/certs/dovecot.pem > ssl_dh_parameters_length = 2048 > ssl_key = </etc/ssl/private/dovecot.pem > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 > ssl_require_crl = no > ssl_verify_client_cert = yes > userdb { > ? args = /usr/local/etc/dovecot/users > ? driver = passwd-file > } > verbose_ssl = yes > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180...
2016 Nov 05
1
Defining INDEX target to other location than maildir seems to have no effect.
...6-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > ssl_key = </etc/ssl/censored.hostname.com/censored.hostname.com.key > > ssl_protocols = !SSLv2 !SSLv3 > > ssl_require_crl = no > > userdb { > > args = uid=2000 gid=2000 home=/storage/vmail/%d/%n allow_all_users=yes > > driver = static > > } > > protocol lmtp { > > mail_plugins = " quota sieve" > > } > > protocol lda { > > mail_plugins = " sieve q...
2012 May 29
2
v2.1.7 released
http://dovecot.org/releases/2.1/dovecot-2.1.7.tar.gz http://dovecot.org/releases/2.1/dovecot-2.1.7.tar.gz.sig * Session ID is now included by default in auth and login process log lines. It can be added to mail processes also by adding %{session} to mail_log_prefix. + Added ssl_require_crl setting, which specifies if CRL check must be successful when verifying client certificates. + Added mail_shared_explicit_inbox setting to specify if a shared INBOX should be accessible as "shared/$user" or "shared/$user/INBOX". - v2.1.5: Using "~/" as mail_loc...