[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dovecot
Subject:    Re: [feature request] SSL handshake rejection for non-SNI clients
From:       Aki Tuomi via dovecot <dovecot () dovecot ! org>
Date:       2023-05-16 12:05:25
Message-ID: 745494907.9224.1684238725913 () asd-stable-core-mw-default-1 ! asd-stable-core-mw-hazelcast-headless ! asd-stable ! svc ! cluster ! local
[Download RAW message or body]

Hi!

We are indeed listening. And Dovecot actually can check the name on the certificate, \
if you ask it to do so.

https://doc.dovecot.org/settings/core/#core_setting-auth_ssl_username_from_cert

Aki

> On 16/05/2023 14:58 EEST Sean Gallagher <sean@teletech.com.au> wrote:
> 
> 
> It gets worse! If you request a client certificate, Dovecot will not 
> check the name on the certificate, only that it is signed by a known CA. 
> I raised this issue on this list some time ago and got no response. I'm 
> not sure anyone is listening.
> 
> On 16/05/2023 7:54 pm, Serg via dovecot wrote:
> > I would like to offer to implement a feature to reject SSL handshakes 
> > for a default certificate-key pair for efficiently discarding bot 
> > requests (i.e. such requests that provide invalid/not configured 
> > hostname or do not specify at all, like when doing request to the IP 
> > address directly).
> > 
> > Nginx has such feature already implemented as seen here[1], and it 
> > would be beneficial if dovecot would support this too.
> > 
> > Currently I am using the following SSL configuration snippet to mimic 
> > such behavior:
> > 
> > > ssl_cert = </etc/ssl/dovecot/server.crt
> > > ssl_key = </etc/ssl/dovecot/server.key
> > > 
> > > local_name flopster.at.encryp.ch {     ssl_cert = 
> > > </etc/ssl/domains/flopster.at.encryp.ch/fullchain
> > > ssl_key = </etc/ssl/domains/flopster.at.encryp.ch/key
> > > }
> > 
> > But in this case the problem is that the invalid requests (for this 
> > example it is requests that don't have Server Name Indication at all 
> > or mention anything else but not flopster.at.encryp.ch) are still 
> > being replied by Dovecot with a TLS certificate rather than being 
> > simply rejected with a TLSV1_UNRECOGNIZED_NAME error code.
> > 
> > [1]: 
> > <https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake>
> > _______________________________________________
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-leave@dovecot.org
> 
> -- 
> This email has been checked for viruses by AVG antivirus software.
> www.avg.com
> _______________________________________________
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org


[prev in list] [next in list] [prev in thread] [next in thread]