Mercurial > dovecot > original-hg > dovecot-1.2

changeset 1997:1d0985f6bdd9 HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added ssl_verify_client_cert setting.
author Timo Sirainen <tss@iki.fi>
date Mon, 10 May 2004 05:15:16 +0300
parents d8f06a0c818e
children 7c9e02c14f8e
files dovecot-example.conf src/login-common/ssl-proxy-openssl.c src/master/login-process.c src/master/master-settings.c src/master/master-settings.h
diffstat 5 files changed, 17 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/dovecot-example.conf	Mon May 10 04:55:41 2004 +0300
+++ b/dovecot-example.conf	Mon May 10 05:15:16 2004 +0300
@@ -34,6 +34,12 @@
 #ssl_cert_file = /etc/ssl/certs/dovecot.pem
 #ssl_key_file = /etc/ssl/private/dovecot.pem
 
+# File containing trusted SSL certificate authorities. Usually not needed.
+#ssl_ca_file = 
+
+# Require client to send a valid certificate, otherwise fail the SSL handshake.
+#ssl_verify_client_cert = no
+
 # SSL parameter file. Master process generates this file for login processes.
 # It contains Diffie Hellman and RSA parameters.
 #ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat
--- a/src/login-common/ssl-proxy-openssl.c	Mon May 10 04:55:41 2004 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Mon May 10 05:15:16 2004 +0300
@@ -453,6 +453,12 @@
 	if (SSL_CTX_need_tmp_RSA(ssl_ctx))
 		SSL_CTX_set_tmp_rsa_callback(ssl_ctx, ssl_gen_rsa_key);
 
+	if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) {
+		SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER |
+				   SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
+				   SSL_VERIFY_CLIENT_ONCE, NULL);
+	}
+
 	/* PRNG initialization might want to use /dev/urandom, make sure it
 	   does it before chrooting. */
 	if (RAND_bytes(&buf, 1) != 1)
--- a/src/master/login-process.c	Mon May 10 04:55:41 2004 +0300
+++ b/src/master/login-process.c	Mon May 10 05:15:16 2004 +0300
@@ -396,6 +396,8 @@
 			env_put(t_strconcat("SSL_CIPHER_LIST=",
 					    set->ssl_cipher_list, NULL));
 		}
+		if (set->ssl_verify_client_cert)
+			env_put("SSL_VERIFY_CLIENT_CERT=1");
 	}
 
 	if (set->disable_plaintext_auth)
--- a/src/master/master-settings.c	Mon May 10 04:55:41 2004 +0300
+++ b/src/master/master-settings.c	Mon May 10 05:15:16 2004 +0300
@@ -52,6 +52,7 @@
 	DEF(SET_STR, ssl_parameters_file),
 	DEF(SET_STR, ssl_parameters_regenerate),
 	DEF(SET_STR, ssl_cipher_list),
+	DEF(SET_BOOL, ssl_verify_client_cert),
 	DEF(SET_BOOL, disable_plaintext_auth),
 	DEF(SET_BOOL, verbose_ssl),
 
@@ -174,6 +175,7 @@
 	MEMBER(ssl_parameters_file) "ssl-parameters.dat",
 	MEMBER(ssl_parameters_regenerate) 24,
 	MEMBER(ssl_cipher_list) NULL,
+	MEMBER(ssl_verify_client_cert) FALSE,
 	MEMBER(disable_plaintext_auth) TRUE,
 	MEMBER(verbose_ssl) FALSE,
 
--- a/src/master/master-settings.h	Mon May 10 04:55:41 2004 +0300
+++ b/src/master/master-settings.h	Mon May 10 05:15:16 2004 +0300
@@ -29,6 +29,7 @@
 	const char *ssl_parameters_file;
 	unsigned int ssl_parameters_regenerate;
 	const char *ssl_cipher_list;
+	int ssl_verify_client_cert;
 	int disable_plaintext_auth;
 	int verbose_ssl;