search for: verify_client_cert

Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet). Expected behavior: Stop the SSL (the client doesn't have a cert installed) Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird). My...

Hi, I came up with the following patch while trying to figure out a good solution for the situation described in Debian bug #871987[1]. In short, OpenSSL in Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that unless an application requests otherwise, only TLSv1.2 is supported. In the world of e-mail this is seemingly an issue, as there are still way too many old clients

...xy_ctx_verify_client(SSL_CTX *ssl_ctx, STACK_OF(X509_NAME) *ca_names) +ssl_proxy_ctx_verify_client(SSL_CTX *ssl_ctx) { #if OPENSSL_VERSION_NUMBER >= 0x00907000L X509_STORE *store; @@ -1079,8 +1048,6 @@ #endif SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_client_cert); - /* set list of CA names that are sent to client */ - SSL_CTX_set_client_CA_list(ssl_ctx, ca_names); } static const char *ssl_proxy_get_use_certificate_error(const char *cert) @@ -1277,7 +1244,7 @@ ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method()); if (ssl_ctx == NULL) i_fat...

...roxy_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert) { /* mostly just copy&pasted from SSL_CTX_use_certificate_chain_file() */ @@ -1209,7 +1282,6 @@ #endif ssl_proxy_ctx_use_key(ctx->ctx, ssl_set); - SSL_CTX_set_info_callback(ctx->ctx, ssl_info_callback); if (ctx->verify_client_cert) ssl_proxy_ctx_verify_client(ctx->ctx, xnames); -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachm...

...only by certificates). They do send requested certificates. Important dovecot configuration: ssl_cert_file = /etc/ssl/ca_ppgk/certs/pop3_crt.pem (common name - pop3.ppgk.com.pl, valid dns name) ssl_key_file = /etc/ssl/ca_ppgk/private/pop3_key.pem ssl_ca_file = /etc/ssl/ca_ppgk/ca_crt.pem ssl_verify_client_cert = yes verbose_ssl = yes auth_verbose = yes ssl_require_client_cert = yes ssl_username_from_cert = (tested both with yes and no, with common name of user certificate set both as username at domain or as bare username) The rest is just pretty standard, using passwd for both user auth and userdb,...