'Sv: ssl_verify_client_cert=yes does not require a client certificate [invalid signature!]'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dovecot
Subject:    Sv: ssl_verify_client_cert=yes does not require a client certificate [invalid signature!]
From:       hristo () venev ! name (Hristo Venev)
Date:       2021-03-27 7:43:42
Message-ID: f41fe5389c5b4a7107740dde3e0a50ea21f02aed.camel () venev ! name
[Download RAW message or body]

I can connect and I can send mail to dovecot using LMTP without
presenting a certificate:

    $ ncat pmx1.venev.name INSERT_LMTP_PORT_HERE --ssl
    220 pmx1.venev.name Dovecot ready.
    MAIL FROM:<root at example.org>
    250 2.1.0 OK
    RCPT TO:<hristo at venev.name>
    250 2.1.5 OK
    DATA
    354 OK
    Subject: This message skipped the MTA and went straight to the MDA
    .
    250 2.0.0 <hristo at venev.name> kKAKEm/fXmCbwwAAdB6GMg Saved

On Sat, 2021-03-27 at 00:17 +0100, Sebastian wrote:
> What I have understand, you are able in configuration to reject
> transactions with those that doesn't present a valid certificate.
> Ergo, they can connect, but they can't do anything.
> 
> -----Ursprungligt meddelande-----
> Fr?n: dovecot-bounces at dovecot.org?<dovecot-bounces at dovecot.org> F?r
> Hristo Venev
> Skickat: den 27 mars 2021 00:16
> Till: dovecot at dovecot.org
> ?mne: ssl_verify_client_cert=yes does not require a client certificate
> [invalid signature!]
> 
> Hello,
> 
> I am trying to set up LMTP over TLS. I have set ssl_verify_client_cert:
> 
> protocol lmtp {?? 
> ??????? ssl_ca = </etc/cert/mail/ca.pem
> ??????? ssl_cert = </etc/cert/mail/host.pem
> ??????? ssl_key = </etc/cert/mail/host.key
> ??????? ssl_verify_client_cert = yes
> }
> 
> However, clients can still connect without presenting a valid
> certificate.
> 
> In openssl_iostream_set() the flags given to SSL_set_verify() are
> SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE. For a certificate to be
> required, the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag also needs to be
> set:
> 
> diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-
> iostream/iostream-openssl.c
> index 5d11526f1..d8df96398 100644
> --- a/src/lib-ssl-iostream/iostream-openssl.c
> +++ b/src/lib-ssl-iostream/iostream-openssl.c
> @@ -235,7 +235,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
> ????????????????if (ssl_io->ctx->client_ctx)
> ????????????????????????verify_flags = SSL_VERIFY_NONE;
> ????????????????else
> -???????????????????????verify_flags = SSL_VERIFY_PEER |
> SSL_VERIFY_CLIENT_ONCE;
> +???????????????????????verify_flags = SSL_VERIFY_PEER |
> SSL_VERIFY_CLIENT_ONCE | 
> +SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
> ????????????????SSL_set_verify(ssl_io->ssl, verify_flags,
> ?????????????????????????????? openssl_iostream_verify_client_cert);
> ????????}
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 858 bytes
Desc: This is a digitally signed message part
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210327/104ca557/attachment.sig>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic