similar to: how to handle CA CRL updates with client certificate verification context ?

Hi, i am trying to setup dovecot over ssl in the last couple days unsuccessfully My notes are from here: http://wiki.dovecot.org/SSL My OpenSSL commands are: mkdir -pv /opt/certificates/dovecot/ cd !$ (just to prevent questions about Common Name) [ebal at myhome:~]? hostname myhome openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825 # Country Name (2 letter code)

Hello, we're running RC2 and seeing a problem with the way SSL certs are handled by Dovecot. We've set ssl_verify_client_cert=yes and ssl_require_valid_client_cert=no. Using this setup we get (rather interesting) log entries like these: Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <user cert> Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <CA

https://bugzilla.mindrot.org/show_bug.cgi?id=2328 Bug ID: 2328 Summary: Per-user certificate revocation list (CRL) in authorized_keys Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd

Hello, I'm setting up Dovecot with client certificates and everything is working fine as long as the client only has one certificate in his store. If he has more than one, the wrong one might be sent to the server. The root of the problem is that Dovecot does not send out a list of valid CA names in the TLS handshake. If I connect using openssl s_client I get: "No client

Today I've been trying to get dovecot (1.0 rc2) to use certificates for client side authentication. If my memory serves right, beta8 had no problems with it (although it was some time ago and on different machine). Similar setup works perfectly well for postfix (for authentication that is, on the same machine). Originally I thought I overdid some certificate settings (keyUsage, nsCertType,

Hi, I have a smartcard which is revoked in the Certificate Revocation List (CRL) but I can still login. Seams like the CRL check is not performed. Any known bug around this? Server setup: - Samba 4.4 on Debian as AD DC - Created domain MYDOM - smb.conf (extract): tls enabled = yes tls crlfile = tls/mycrl.pem (default is to look under private/ folder) Client setup: - Windows 7 machine as

Is there a reason that CRL is required to exist in the ssl_ca_file? Could it just use it only if it's there, but otherwise ignore it? Or is this a bad idea? Is it even possible at all to tell that to OpenSSL? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message

Hello Anyone here tried to use palm pre built-in email client with imap server (TLS)? Mine does not work; only one line in the log. imap-login: Disconnected (no auth attempts): rip=xxx.xxx.19.21, lip=xxx.yyy.zzz.aaa dovecot -n # 1.2.11: /etc/dovecot/dovecot.conf # OS: Linux 2.6.9-42.ELsmp i686 Red Hat Enterprise Linux ES release 4 (Nahant Update 8) ext3 base_dir: /var/run/dovecot

Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet). Expected behavior: Stop the SSL (the client doesn't have a cert installed) Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird). My bad? Please advise. Q2) The next step, if dovecot blocks

I would like to use Client certificate verification/authentication. My MTA used this function. I've a problem to make a valid certificate. For my MTA i used : openssl req -new -nodes -x509 -keyout user_key.pem -out user_req.pem -days 365 openssl ca -out user_signed.pem -infiles user_req.pem openssl pkcs12 -in user_signed.pem -inkey user_key.pem -out user.p12 -export -name "user at

Thanks but I've actually tried that too. Not sure I put it in [kdc] section though, I can try again. Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > Hi, > > I have a smartcard which is revoked in the Certificate Revocation List > > (CRL) but I can still login. Seams

Hi I'm trying to use dovecot with client certificates. We produce our certificates with our on CA and we do NOT use certificate revocation lists. So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution neither in the wiki nor somewhere else, so I finally started to read the source. My impression is that openssl will always try to use CRLs. If

Hi, already asked in the openssl mailing list, but just in case you already went through this... I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is

Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required

Not the clearest of error messages. A successful cannot load. May 7 21:05:29 10.10.10.213 dovecot: child 21500 (login) returned error 89 May 7 21:05:29 10.10.10.213 dovecot: child 21501 (login) returned error 89 May 7 21:05:29 10.10.10.213 dovecot: child 21502 (login) returned error 89 May 7 21:05:29 10.10.10.213 dovecot: child 21503 (login) returned error 89 May 7 21:05:29 10.10.10.213

Thanks for the note. I had never seen anything in the postfix and apache documentation that the CRLs could be intermingled with the CRTs in the CRT file. The documentation for those programs suggests putting the CRLs in a separate file (e.g. apache SSLCARevocationFile) or doesn't talk about putting CRLs in with the certs (e.g. postfix smtpd_tls_cert_file). If it works to put them all in one

When I install an SSL certificate, I can't find a config option to set configure the Server Certificate Chain file... Is this not possible or can I do it another way? (When I connect, I am being told the Signature status is uncheckable...) Regards, BTJ -- ----------------------------------------------------------------------------------------------- Bj?rn T Johansen btj at havleik.no

Dear List, I self-host my e-mail and run Dovecot since ever I do that. Dovecot version is 2.3.4.1 (f79e8e7e4), running on Debian testing. Now I am trying to configure Dovecot for client TLS certificates. I have a self-signed certificate whose private key resides on a smartcard (Yubikey, to be exact). I wanted Dovecot to accept that TLS client certificate instead of a password. So I searched and

This issue is peripherally related to the following thread Re: [Dovecot] client certs with godaddy ssl cert This is running on CentOS 5.2 with latest Atrpms for Dovecot as of this weekend. # rpm -qa | grep dovecot dovecot-sieve-1.1.5-8.el5 dovecot-1.1.4-0_81.el5 With assistance from Rainer Frey (Inxmail GmbH), I am able to successfully use client ssl certs for imap access on both my Nokia

Hello, I'm using a dovecot as proxy, connecting to one or more backends. The backends use X.509 certificates. The proxy's passdb returns extra fields: user=foo proxy host=backend1.<domain> ssl=yes nopassword=y Thus the proxy connects to the backend but can't verify the backends certificate. The following comment suggests using ssl_client_ca_file for