Mercurial > dovecot > original-hg > dovecot-1.2
changeset 1997:1d0985f6bdd9 HEAD
Added ssl_verify_client_cert setting.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Mon, 10 May 2004 05:15:16 +0300 |
parents | d8f06a0c818e |
children | 7c9e02c14f8e |
files | dovecot-example.conf src/login-common/ssl-proxy-openssl.c src/master/login-process.c src/master/master-settings.c src/master/master-settings.h |
diffstat | 5 files changed, 17 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/dovecot-example.conf Mon May 10 04:55:41 2004 +0300 +++ b/dovecot-example.conf Mon May 10 05:15:16 2004 +0300 @@ -34,6 +34,12 @@ #ssl_cert_file = /etc/ssl/certs/dovecot.pem #ssl_key_file = /etc/ssl/private/dovecot.pem +# File containing trusted SSL certificate authorities. Usually not needed. +#ssl_ca_file = + +# Require client to send a valid certificate, otherwise fail the SSL handshake. +#ssl_verify_client_cert = no + # SSL parameter file. Master process generates this file for login processes. # It contains Diffie Hellman and RSA parameters. #ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat
--- a/src/login-common/ssl-proxy-openssl.c Mon May 10 04:55:41 2004 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Mon May 10 05:15:16 2004 +0300 @@ -453,6 +453,12 @@ if (SSL_CTX_need_tmp_RSA(ssl_ctx)) SSL_CTX_set_tmp_rsa_callback(ssl_ctx, ssl_gen_rsa_key); + if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) { + SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | + SSL_VERIFY_FAIL_IF_NO_PEER_CERT | + SSL_VERIFY_CLIENT_ONCE, NULL); + } + /* PRNG initialization might want to use /dev/urandom, make sure it does it before chrooting. */ if (RAND_bytes(&buf, 1) != 1)
--- a/src/master/login-process.c Mon May 10 04:55:41 2004 +0300 +++ b/src/master/login-process.c Mon May 10 05:15:16 2004 +0300 @@ -396,6 +396,8 @@ env_put(t_strconcat("SSL_CIPHER_LIST=", set->ssl_cipher_list, NULL)); } + if (set->ssl_verify_client_cert) + env_put("SSL_VERIFY_CLIENT_CERT=1"); } if (set->disable_plaintext_auth)
--- a/src/master/master-settings.c Mon May 10 04:55:41 2004 +0300 +++ b/src/master/master-settings.c Mon May 10 05:15:16 2004 +0300 @@ -52,6 +52,7 @@ DEF(SET_STR, ssl_parameters_file), DEF(SET_STR, ssl_parameters_regenerate), DEF(SET_STR, ssl_cipher_list), + DEF(SET_BOOL, ssl_verify_client_cert), DEF(SET_BOOL, disable_plaintext_auth), DEF(SET_BOOL, verbose_ssl), @@ -174,6 +175,7 @@ MEMBER(ssl_parameters_file) "ssl-parameters.dat", MEMBER(ssl_parameters_regenerate) 24, MEMBER(ssl_cipher_list) NULL, + MEMBER(ssl_verify_client_cert) FALSE, MEMBER(disable_plaintext_auth) TRUE, MEMBER(verbose_ssl) FALSE,
--- a/src/master/master-settings.h Mon May 10 04:55:41 2004 +0300 +++ b/src/master/master-settings.h Mon May 10 05:15:16 2004 +0300 @@ -29,6 +29,7 @@ const char *ssl_parameters_file; unsigned int ssl_parameters_regenerate; const char *ssl_cipher_list; + int ssl_verify_client_cert; int disable_plaintext_auth; int verbose_ssl;