Get client certificates working correctly in Dovecot
It seems that a bug in Dovecot makes it not send the list of accepted CA names in the TLS handshake.
Thanks to Timo Sirainen on the Dovecot mailing-list, there is now a patch available which effectively fixes the problem.
Index: src/login-common/ssl-proxy-openssl.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/login-common/ssl-proxy-openssl.c,v
retrieving revision 1.55
diff -u -r1.55 ssl-proxy-openssl.c
— src/login-common/ssl-proxy-openssl.c 18 Mar 2007 02:51:19 -0000 1.55
+++ src/login-common/ssl-proxy-openssl.c 3 Apr 2007 09:55:23 -0000
@@ -756,6 +756,8 @@
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE,
ssl_verify_client_cert);
+ SSL_CTX_set_client_CA_list(ssl_ctx,
+ SSL_load_client_CA_file(cafile));
}
Note that if the client only has one client certificate, you will probably not have any use for this. If you do however have multiple client certificates, this is absolutely necessary.
I have a patched Debian/Ubuntu package, but I will not post it if there is no demand for it.
Please send the patch.
[quote comment="45253"]Please send the patch.[/quote]
This has been fixed in newer versions of Dovecot. I suggest that you upgrade to a new version.
There is evidently a lot for me to ascertain outside of my books. Thanks for the important read,