[prev in list] [next in list] [prev in thread] [next in thread]
List: dovecot
Subject: Re: [feature request] SSL handshake rejection for non-SNI clients
From: Aki Tuomi via dovecot <dovecot () dovecot ! org>
Date: 2023-05-16 12:05:25
Message-ID: 745494907.9224.1684238725913 () asd-stable-core-mw-default-1 ! asd-stable-core-mw-hazelcast-headless ! asd-stable ! svc ! cluster ! local
[Download RAW message or body]
Hi!
We are indeed listening. And Dovecot actually can check the name on the certificate, \
if you ask it to do so.
https://doc.dovecot.org/settings/core/#core_setting-auth_ssl_username_from_cert
Aki
> On 16/05/2023 14:58 EEST Sean Gallagher <sean@teletech.com.au> wrote:
>
>
> It gets worse! If you request a client certificate, Dovecot will not
> check the name on the certificate, only that it is signed by a known CA.
> I raised this issue on this list some time ago and got no response. I'm
> not sure anyone is listening.
>
> On 16/05/2023 7:54 pm, Serg via dovecot wrote:
> > I would like to offer to implement a feature to reject SSL handshakes
> > for a default certificate-key pair for efficiently discarding bot
> > requests (i.e. such requests that provide invalid/not configured
> > hostname or do not specify at all, like when doing request to the IP
> > address directly).
> >
> > Nginx has such feature already implemented as seen here[1], and it
> > would be beneficial if dovecot would support this too.
> >
> > Currently I am using the following SSL configuration snippet to mimic
> > such behavior:
> >
> > > ssl_cert = </etc/ssl/dovecot/server.crt
> > > ssl_key = </etc/ssl/dovecot/server.key
> > >
> > > local_name flopster.at.encryp.ch { ssl_cert =
> > > </etc/ssl/domains/flopster.at.encryp.ch/fullchain
> > > ssl_key = </etc/ssl/domains/flopster.at.encryp.ch/key
> > > }
> >
> > But in this case the problem is that the invalid requests (for this
> > example it is requests that don't have Server Name Indication at all
> > or mention anything else but not flopster.at.encryp.ch) are still
> > being replied by Dovecot with a TLS certificate rather than being
> > simply rejected with a TLSV1_UNRECOGNIZED_NAME error code.
> >
> > [1]:
> > <https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake>
> > _______________________________________________
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-leave@dovecot.org
>
> --
> This email has been checked for viruses by AVG antivirus software.
> www.avg.com
> _______________________________________________
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic