search for: x509_name_get_text_by_nid

...t for extracting the username from client certificate's rfc822Name (from the subjectAltName extension). The question I have is what would be the best approach to do this? Current implementation has a kind of clean code since it just goes through the subject name, extracting the values with X509_NAME_get_text_by_NID (while NID is obtained with OBJ_txt2nid). If I were to add this, it's bound to make the code a little bit more complicated since SAN's can't be retrieved in the same way. So far in terms of options I have, I can see the following: 1. Create a distinct configuration option for the s...

...ch in my MTA Not in Dovecot... In my log, i've simply : dovecot: auth(default): Client didn't present valid SSL certificate Also, in the documentation The username is taken from the subject's DN's CommonName <http://wiki.dovecot.org/CommonName> field (using OpenSSL's X509_NAME_get_text_by_NID() function). But when i used openssl req -new -nodes -keyout user_key.pem -out user_req.pem -days 365 my common name is my hostname not my username. I don't think that the option -name user at hostname (in manpage openssl :: -name is friendly name)... Sorry but it's ambiguous for me.....

.... */ - X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf)); - name = t_strndup(buf, sizeof(buf)); + /* HJHJ */ + /* the X509_N_gtbN can return -1 without 0-terminating buf */ + /* if the call succeeds buf is 0-terminated (openssl 0.9.7e / 0.9.8b src) */ + buf[0] = '\0'; + if( X509_NAME_get_text_by_NID(X509_get_subject_name(x509),NID_commonName,buf,sizeof(buf)) < 0 ) + { buf[0] = '\0'; } + name = t_strndup(buf, sizeof(buf) ); X509_free(x509); - + /* HJHJ */ + return *name == '\0' ? NULL : name; } @@ -582,10 +588,22 @@ proxy = SSL_get_ex_data(ssl, extdata_index);...

Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet). Expected behavior: Stop the SSL (the client doesn't have a cert installed) Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird). My bad? Please advise. Q2) The next step, if dovecot blocks

...9; /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `X509_NAME_get_index_by_NID at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `d2i_DHparams at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `X509_NAME_get_text_by_NID at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `OPENSSL_add_all_algorithms_noconf at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `ENGINE_set_default_DSA at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-...

...m_openssl.so PEM_X509_INFO_read_bio ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so X509_NAME_oneline ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so ERR_get_error_line_data ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so SSL_write ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so X509_NAME_get_text_by_NID ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so SSL_get_ex_new_index ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so SSL_get_error ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so ENGINE_init ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so ENGINE_free ../lib-ssl-iostream/.libs/li...

...d_chroot_dirs isn't needed to use this setting. #chroot = # Number of authentication processes to create #count = 1 # Require a valid SSL client certificate or the authentication fails. #ssl_require_client_cert = no # Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName. #ssl_username_from_cert = no # It's possible to export the authentication interface to other programs: #socket listen { #master { # Master socket is typically used to give Dovecot's local delivery # agent acce...

Hey, This is the debug information: auth(default): client in: AUTH 1 PLAIN service=IMAP secured lip=127.0.0.1 rip=127.0.0.1 resp=AG1hcmsAbWFyaw==auth(default): passwd(mark,127.0.0.1): password mismatchauth(default): client out: FAIL 1 user=markimap-login: Disconnected: user=<mark>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured The strange thing is that i

...chroot_dirs isn't needed to use this setting. #chroot = # Number of authentication processes to create #count = 1 # Require a valid SSL client certificate or the authentication fails. #ssl_require_client_cert = no # Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName. #ssl_username_from_cert = no # It's possible to export the authentication interface to other programs: socket listen { master { # Master socket provides access to userdb information. It's typically # used to...