# HG changeset patch # User Timo Sirainen # Date 1189306472 -10800 # Node ID 7ad61f00ee55ea65b714b854ff8c84c38f485b02 # Parent 2b6e69bda3ecbd361d4e4fd10f1c223046c66b7a Added ssl_cert_username_field setting. diff -r 2b6e69bda3ec -r 7ad61f00ee55 dovecot-example.conf --- a/dovecot-example.conf Sun Sep 09 05:30:20 2007 +0300 +++ b/dovecot-example.conf Sun Sep 09 05:54:32 2007 +0300 @@ -107,6 +107,11 @@ # ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no +# Which field from certificate to use for username. commonName and +# x500UniqueIdentifier are the usual choices. You'll also need to set +# ssl_username_from_cert=yes. +#ssl_cert_username_field = commonName + # How often to regenerate the SSL parameters file. Generation is quite CPU # intensive operation. The value is in hours, 0 disables regeneration # entirely. diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/login-common/ssl-proxy-openssl.c --- a/src/login-common/ssl-proxy-openssl.c Sun Sep 09 05:30:20 2007 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Sun Sep 09 05:54:32 2007 +0300 @@ -66,6 +66,7 @@ static SSL_CTX *ssl_ctx; static struct hash_table *ssl_proxies; static struct ssl_parameters ssl_params; +static int ssl_username_nid; static void plain_read(struct ssl_proxy *proxy); static void ssl_read(struct ssl_proxy *proxy); @@ -522,7 +523,7 @@ return NULL; /* we should have had it.. */ if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509), - NID_commonName, buf, sizeof(buf)) < 0) + ssl_username_nid, buf, sizeof(buf)) < 0) name = ""; else name = t_strndup(buf, sizeof(buf)); @@ -681,7 +682,7 @@ void ssl_proxy_init(void) { static char dovecot[] = "dovecot"; - const char *cafile, *certfile, *keyfile, *cipher_list; + const char *cafile, *certfile, *keyfile, *cipher_list, *username_field; char *password; unsigned char buf; @@ -760,6 +761,17 @@ SSL_load_client_CA_file(cafile)); } + username_field = getenv("SSL_CERT_USERNAME_FIELD"); + if (username_field == NULL) + ssl_username_nid = NID_commonName; + else { + ssl_username_nid = OBJ_txt2nid(username_field); + if (ssl_username_nid == NID_undef) { + i_fatal("Invalid ssl_cert_username_field: %s", + username_field); + } + } + /* PRNG initialization might want to use /dev/urandom, make sure it does it before chrooting. We might not have enough entropy at the first try, so this function may fail. It's still been diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/login-process.c --- a/src/master/login-process.c Sun Sep 09 05:30:20 2007 +0300 +++ b/src/master/login-process.c Sun Sep 09 05:54:32 2007 +0300 @@ -542,6 +542,8 @@ env_put(t_strconcat("SSL_CIPHER_LIST=", set->ssl_cipher_list, NULL)); } + env_put(t_strconcat("SSL_CERT_USERNAME_FIELD=", + set->ssl_cert_username_field, NULL)); if (set->ssl_verify_client_cert) env_put("SSL_VERIFY_CLIENT_CERT=1"); } diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/master-settings-defs.c --- a/src/master/master-settings-defs.c Sun Sep 09 05:30:20 2007 +0300 +++ b/src/master/master-settings-defs.c Sun Sep 09 05:54:32 2007 +0300 @@ -27,6 +27,7 @@ DEF_STR(ssl_key_password), DEF_INT(ssl_parameters_regenerate), DEF_STR(ssl_cipher_list), + DEF_STR(ssl_cert_username_field), DEF_BOOL(ssl_verify_client_cert), DEF_BOOL(disable_plaintext_auth), DEF_BOOL(verbose_ssl), diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/master-settings.c --- a/src/master/master-settings.c Sun Sep 09 05:30:20 2007 +0300 +++ b/src/master/master-settings.c Sun Sep 09 05:54:32 2007 +0300 @@ -183,6 +183,7 @@ MEMBER(ssl_key_password) "", MEMBER(ssl_parameters_regenerate) 168, MEMBER(ssl_cipher_list) "", + MEMBER(ssl_cert_username_field) "commonName", MEMBER(ssl_verify_client_cert) FALSE, MEMBER(disable_plaintext_auth) TRUE, MEMBER(verbose_ssl) FALSE, diff -r 2b6e69bda3ec -r 7ad61f00ee55 src/master/master-settings.h --- a/src/master/master-settings.h Sun Sep 09 05:30:20 2007 +0300 +++ b/src/master/master-settings.h Sun Sep 09 05:54:32 2007 +0300 @@ -41,6 +41,7 @@ const char *ssl_key_password; unsigned int ssl_parameters_regenerate; const char *ssl_cipher_list; + const char *ssl_cert_username_field; bool ssl_verify_client_cert; bool disable_plaintext_auth; bool verbose_ssl;