Displaying 5 results from an estimated 5 matches for "verify_client_cert".
2007 Mar 08
5
1.0rc26: ssl_verify_client=yes ?
Q1)
I can't get ssl_verify_client_cert=yes working.
The ssl key and cert are signed using our CA.
Also the ssl_ca_file has a CRL appended (no revokes yet).
Expected behavior:
Stop the SSL (the client doesn't have a cert installed)
Current behavior:
Mail clients accepts SSL and login succeeds.
(both Evolution and Thunderbird).
My...
2017 Sep 13
2
[RFC master-2.2 0/1] Support OpenSSL 1.1 API for setting allowed TLS versions
Hi,
I came up with the following patch while trying to figure out a good solution
for the situation described in Debian bug #871987[1]. In short, OpenSSL in
Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that
unless an application requests otherwise, only TLSv1.2 is supported. In the
world of e-mail this is seemingly an issue, as there are still way too many old
clients
2015 Feb 11
2
[PATCH] Fix for client certificate validation does not work
...xy_ctx_verify_client(SSL_CTX *ssl_ctx, STACK_OF(X509_NAME) *ca_names)
+ssl_proxy_ctx_verify_client(SSL_CTX *ssl_ctx)
{
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE *store;
@@ -1079,8 +1048,6 @@
#endif
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
ssl_verify_client_cert);
- /* set list of CA names that are sent to client */
- SSL_CTX_set_client_CA_list(ssl_ctx, ca_names);
}
static const char *ssl_proxy_get_use_certificate_error(const char *cert)
@@ -1277,7 +1244,7 @@
ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
if (ssl_ctx == NULL)
i_fat...
2013 Jul 06
1
[PATCH] login-common: Add support for ECDH/ECDHE cipher suites
...roxy_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert)
{
/* mostly just copy&pasted from SSL_CTX_use_certificate_chain_file() */
@@ -1209,7 +1282,6 @@
#endif
ssl_proxy_ctx_use_key(ctx->ctx, ssl_set);
- SSL_CTX_set_info_callback(ctx->ctx, ssl_info_callback);
if (ctx->verify_client_cert)
ssl_proxy_ctx_verify_client(ctx->ctx, xnames);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachm...
2006 Jul 07
2
Authentication by certificats (a bug or my misconfiguration)
...only by certificates). They do send requested certificates.
Important dovecot configuration:
ssl_cert_file = /etc/ssl/ca_ppgk/certs/pop3_crt.pem
(common name - pop3.ppgk.com.pl, valid dns name)
ssl_key_file = /etc/ssl/ca_ppgk/private/pop3_key.pem
ssl_ca_file = /etc/ssl/ca_ppgk/ca_crt.pem
ssl_verify_client_cert = yes
verbose_ssl = yes
auth_verbose = yes
ssl_require_client_cert = yes
ssl_username_from_cert = (tested both with yes and no,
with common name of user certificate set both as
username at domain or as bare username)
The rest is just pretty standard, using passwd for both
user auth and userdb,...