Mercurial > dovecot > original-hg > dovecot-1.2
changeset 4352:d57c83c64b20 HEAD
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
invalid sent certificates. If verbose_ssl=yes, log even the valid
certificates. When using the username from the certificate, use CommonName.
Based on patch by HenkJan Wolthuis
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Fri, 16 Jun 2006 12:41:20 +0300 |
parents | 61cc7e40bec6 |
children | 3e542f308cb5 |
files | src/login-common/ssl-proxy-openssl.c |
diffstat | 1 files changed, 28 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/src/login-common/ssl-proxy-openssl.c Fri Jun 16 12:40:40 2006 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Fri Jun 16 12:41:20 2006 +0300 @@ -508,10 +508,13 @@ if (x509 == NULL) return NULL; /* we should have had it.. */ - X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf)); - name = t_strndup(buf, sizeof(buf)); + if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509), + NID_commonName, buf, sizeof(buf)) < 0) + name = ""; + else + name = t_strndup(buf, sizeof(buf)); X509_free(x509); - + return *name == '\0' ? NULL : name; } @@ -580,11 +583,25 @@ ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); proxy = SSL_get_ex_data(ssl, extdata_index); + proxy->cert_received = TRUE; - proxy->cert_received = TRUE; + if (verbose_ssl || (verbose_auth && !preverify_ok)) { + char buf[1024]; + X509_NAME *subject; + + subject = X509_get_subject_name(ctx->current_cert); + (void)X509_NAME_oneline(subject, buf, sizeof(buf)); + buf[sizeof(buf)-1] = '\0'; /* just in case.. */ + if (!preverify_ok) + i_info("Invalid certificate: %s", buf); + else + i_info("Valid certificate: %s", buf); + } if (!preverify_ok) proxy->cert_broken = TRUE; + /* Return success anyway, because if ssl_require_client_cert=no we + could still allow authentication. */ return 1; } @@ -665,6 +682,13 @@ SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_tmp_dh_callback); if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) { +#if OPENSSL_VERSION_NUMBER >= 0x00907000L + X509_STORE *store; + + store = SSL_CTX_get_cert_store(ssl_ctx); + X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | + X509_V_FLAG_CRL_CHECK_ALL); +#endif SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_client_cert);