search for: ssl_require_crl

Hi I'm trying to use dovecot with client certificates. We produce our certificates with our on CA and we do NOT use certificate revocation lists. So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution neither in the wiki nor somewhere else, so I finally started to read the source. My impression is that openssl will always try to use CRLs. If "ssl_require_crl = no" dovecot will use CRLs but tries to ignore openssl error codes X509_...

On Mon, 21 Sep 2015, Edgar Pettijohn wrote: > doveconf -n? doveconf -n|grep ssl should suffice: ssl = required ssl_ca = </usr/local/share/certs/ca-root-nss.crt ssl_cert = </path/to/my/file.pem ssl_key = </path/to/my/file.pem ssl_require_crl = no I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for. It happens to work, at least for now, but this is not a fix. ssl_client_ca_file should be used instead, but it has no effect in proxy mode:...

...n(-) --- a/src/config/all-settings.c +++ b/src/config/all-settings.c @@ -308,6 +308,7 @@ struct master_service_ssl_settings { const char *ssl_cert_username_field; const char *ssl_crypto_device; const char *ssl_options; + const char *ssl_lowest_version; bool ssl_verify_client_cert; bool ssl_require_crl; --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -26,6 +26,7 @@ static const struct setting_define maste DEF(SET_STR, ssl_protocols), DEF(SET_STR, ssl_cert_username_field), DEF(SET_STR, ssl_crypto_device), + DEF(SET_STR, ssl_lowest_vers...

...|grep ssl should suffice: > > ssl = required shouldn't it be: ssl = yes I was only aware of the choice of yes or no here, but I could be wrong. > ssl_ca = </usr/local/share/certs/ca-root-nss.crt > ssl_cert = </path/to/my/file.pem > ssl_key = </path/to/my/file.pem > ssl_require_crl = no > > I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a > temporary workaround, even though this is not what ssl_ca is for. It > happens to work, at least for now, but this is not a fix. > > ssl_client_ca_file should be used instead, but it h...

On Mon, 21 Sep 2015, Andrew McN wrote: >> http://wiki2.dovecot.org/Replication >> >> (quote) >> The client must be able to verify that the SSL certificate is valid, so >> you need to specify the directory containing valid SSL CA roots: >> >> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu >> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat

...rector } service pop3-login { executable = pop3-login director } ssl = required ssl_ca = </etc/pki/CA/ca-cert-***.pem ssl_cert = </etc/pki/tls/certs/dovecot.cert ssl_client_ca_file = </etc/pki/CA/ca-cert-***.pem ssl_key = </etc/pki/tls/private/dovecot.key ssl_protocols = !SSLv2 !SSLv3 ssl_require_crl = no userdb { driver = passwd } protocol doveadm { auth_socket_path = director-userdb } protocol sieve { passdb { args = proxy=y nopassword=y starttls=any-cert driver = static name = } } local 10.1.11.0/24 { doveadm_password = # hidden, use -P to show it } backend-machine $...

...r = vmail ? } } service imap-login { ? inet_listener imaps { ? ? ssl = yes ? } } ssl_ca = </etc/ssl/cacert.pem ssl_cert = </etc/ssl/certs/dovecot.pem ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1 ssl_require_crl = no ssl_verify_client_cert = yes userdb { ? args = /usr/local/etc/dovecot/users ? driver = passwd-file } verbose_ssl = yes -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180201/8bfd560f/attachment-0001.htm...

...e tried the good cert I have for https and I used the Dovecot.org script to generate a self-signed certificate. 10-ssl.conf ## SSL settings #ssl = required ssl = yes #ssl = no ssl_cert = </etc/pki/dovecot/certs/mydomain.com.crt ssl_key = </etc/pki/dovecot/private/mydomain.com.key #ssl_ca = #ssl_require_crl = yes #ssl_client_ca_dir = #ssl_client_ca_file = #ssl_verify_client_cert = no #ssl_cert_username_field = commonName #ssl_dh_parameters_length = 1024 #ssl_protocols = !SSLv3 # SSL ciphers to use # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:...

...r = vmail ? } } service imap-login { ? inet_listener imaps { ? ? ssl = yes ? } } ssl_ca = </etc/ssl/cacert.pem ssl_cert = </etc/ssl/certs/dovecot.pem ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1 ssl_require_crl = no ssl_verify_client_cert = yes userdb { ? args = /usr/local/etc/dovecot/users ? driver = passwd-file } verbose_ssl = yes -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180201/0dbcd8b2/attachment.html&gt...

...host:993` I still can successfully renegotiate by > passing a single 'R'. Are you use good ssl_cipher_list (https://wiki.mozilla.org/Security/Server_Side_TLS)? My config ## Service options # 10-ssl ssl = yes ssl_cert = </etc/pki/tls/certs/.crt ssl_key = </etc/pki/tls/private/.key ssl_require_crl = no ssl_ca = </etc/pki/tls/cert.pem ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-A...

...GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_key = </etc/ssl/censored.hostname.com/censored.hostname.com.key ssl_protocols = !SSLv2 !SSLv3 ssl_require_crl = no userdb { args = uid=2000 gid=2000 home=/storage/vmail/%d/%n allow_all_users=yes driver = static } protocol lmtp { mail_plugins = " quota sieve" } protocol lda { mail_plugins = " sieve quota" } protocol imap { imap_client_workarounds = tb-extra-mailbox-sep...

...This is the last planned v2.2.x release. We didn't fix everything reported (especially build changes) to try to minimize any unexpected breakages. v2.3.2 will be out with a lot of fixes hopefully in a few weeks. That will start becoming the recommended version to run then. * login-proxy: If ssl_require_crl=no, allow revoked certificates. Also don't do CRL checks for incoming client certificates. * stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening /proc/self/io. This may still cause security problems if the process is ptrace()d at the same time. Instead, open it wh...

...> > On Mon, 21 Sep 2015, Edgar Pettijohn wrote: > >> doveconf -n? > > doveconf -n|grep ssl should suffice: > > ssl = required > ssl_ca = </usr/local/share/certs/ca-root-nss.crt > ssl_cert = </path/to/my/file.pem > ssl_key = </path/to/my/file.pem > ssl_require_crl = no > > I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for. It happens to work, at least for now, but this is not a fix. > > ssl_client_ca_file should be used instead, but it has no effe...

...ng: service doveadm { inet_listener { port = 5001 ssl = yes } } At the same time, I would like to verify client certificates for connections goes to port 5001. I am trying to do the following, but it doesn't work: protocol doveadm { ssl_require_crl = yes ssl_verify_client_cert = yes } How could I achieve required behavior?

...This is the last planned v2.2.x release. We didn't fix everything reported (especially build changes) to try to minimize any unexpected breakages. v2.3.2 will be out with a lot of fixes hopefully in a few weeks. That will start becoming the recommended version to run then. * login-proxy: If ssl_require_crl=no, allow revoked certificates. Also don't do CRL checks for incoming client certificates. * stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening /proc/self/io. This may still cause security problems if the process is ptrace()d at the same time. Instead, open it wh...

...t.org/releases/2.1/dovecot-2.1.6.tar.gz http://dovecot.org/releases/2.1/dovecot-2.1.6.tar.gz.sig * Session ID is now included by default in auth and login process log lines. It can be added to mail processes also by adding %{session} to mail_log_prefix. + Added ssl_require_crl setting, which specifies if CRL check must be successful when verifying client certificates. + Added mail_shared_explicit_inbox setting to specify if a shared INBOX should be accessible as "shared/$user" or "shared/$user/INBOX". - v2.1.5: Usin...

...t.org/releases/2.1/dovecot-2.1.6.tar.gz http://dovecot.org/releases/2.1/dovecot-2.1.6.tar.gz.sig * Session ID is now included by default in auth and login process log lines. It can be added to mail processes also by adding %{session} to mail_log_prefix. + Added ssl_require_crl setting, which specifies if CRL check must be successful when verifying client certificates. + Added mail_shared_explicit_inbox setting to specify if a shared INBOX should be accessible as "shared/$user" or "shared/$user/INBOX". - v2.1.5: Usin...

...er imaps { > ? ? ssl = yes > ? } > } > ssl_ca = </etc/ssl/cacert.pem > ssl_cert = </etc/ssl/certs/dovecot.pem > ssl_dh_parameters_length = 2048 > ssl_key = </etc/ssl/private/dovecot.pem > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 > ssl_require_crl = no > ssl_verify_client_cert = yes > userdb { > ? args = /usr/local/etc/dovecot/users > ? driver = passwd-file > } > verbose_ssl = yes > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180...

...6-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > ssl_key = </etc/ssl/censored.hostname.com/censored.hostname.com.key > > ssl_protocols = !SSLv2 !SSLv3 > > ssl_require_crl = no > > userdb { > > args = uid=2000 gid=2000 home=/storage/vmail/%d/%n allow_all_users=yes > > driver = static > > } > > protocol lmtp { > > mail_plugins = " quota sieve" > > } > > protocol lda { > > mail_plugins = " sieve q...

http://dovecot.org/releases/2.1/dovecot-2.1.7.tar.gz http://dovecot.org/releases/2.1/dovecot-2.1.7.tar.gz.sig * Session ID is now included by default in auth and login process log lines. It can be added to mail processes also by adding %{session} to mail_log_prefix. + Added ssl_require_crl setting, which specifies if CRL check must be successful when verifying client certificates. + Added mail_shared_explicit_inbox setting to specify if a shared INBOX should be accessible as "shared/$user" or "shared/$user/INBOX". - v2.1.5: Using "~/" as mail_loc...