Re: CA certs for Dovecot-as-client (proxy)
On Wednesday, April 21, 2021 2:13:01 AM AKDT Aki Tuomi wrote: > Hi! > > This is unfortunately a bug, see note in > https://doc.dovecot.org/configuration_manual/authentication/proxies/ > > "ssl_client_ca_dir or ssl_client_ca_file aren’t currently used for verifying > the remote certificate, although ideally they will be in a future Dovecot > version. For now you need to add the trusted remote certificates to > ssl_ca." > > Aki FWIW, I always thought Aki was a man's name, but they're calling it a baby girl's name if you look it up on Google. You couldn't make this stuff up if you tried. * https://www.thebump.com/b/aki-baby-name I don't like the Microsoft-dominated scene here any more than anyone else does. If a guy has to clear his throat in a court of law or something like that over every little bug or issue to have it fixed, then there's quite a mob of organized criminal spammers on the mailing list, and of course the law enforcement community is always on their side when they spam vice pills down our throats via e-mail. signature.asc Description: This is a digitally signed message part.
Re: CA certs for Dovecot-as-client (proxy)
> On 21/04/2021 12:56 Peter Mogensen wrote: > > > Hi, > > When using proxy=y, ssl=yes (Dovecot 2.3.13) I consistently get this > logged when trying to validate the remote server cert. > > "Disconnected by server: Connection closed: Received invalid SSL > certificate: unable to get local issuer certificate: /C=BE/O=GlobalSign > nv-sa/CN=AlphaSSL CA - SHA256 - G2 (check ssl_client_ca_* settings?)" > > As I read the 2.3.x documentation (and the error logged) Dovecot needs > to have the trusted CA cert with ssl_client_ca_file or ssl_client_ca_dir. > > So, I've tried every combination of putting the cert (and the GlobalSign > root CA signing it) in ssl_client_ca_dir and individually and as a > bundle in ssl_client_ca_file without luck. > > But even though I can verify the cert with "openssl s_client -connect" > and with "openssl verify", no matter what I put in the ssl_client_ca_* > settings it seems Dovecot just ignores it. > > It does complain though, if I point it to a non-existent file, but not > if I just fill the file with invalid cert data which can't be parsed. > > I end up getting in doubt whether it consults the cert data at all. > > I'm a bit at loss on how to debug this further, short of running it in > gdb. "verbose_ssl" doesn't really say anything about the process of find > a CA cert to check with. > > Have I misunderstood the config? > > /Peter Hi! This is unfortunately a bug, see note in https://doc.dovecot.org/configuration_manual/authentication/proxies/ "ssl_client_ca_dir or ssl_client_ca_file aren’t currently used for verifying the remote certificate, although ideally they will be in a future Dovecot version. For now you need to add the trusted remote certificates to ssl_ca." Aki
CA certs for Dovecot-as-client (proxy)
Hi, When using proxy=y, ssl=yes (Dovecot 2.3.13) I consistently get this logged when trying to validate the remote server cert. "Disconnected by server: Connection closed: Received invalid SSL certificate: unable to get local issuer certificate: /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 (check ssl_client_ca_* settings?)" As I read the 2.3.x documentation (and the error logged) Dovecot needs to have the trusted CA cert with ssl_client_ca_file or ssl_client_ca_dir. So, I've tried every combination of putting the cert (and the GlobalSign root CA signing it) in ssl_client_ca_dir and individually and as a bundle in ssl_client_ca_file without luck. But even though I can verify the cert with "openssl s_client -connect" and with "openssl verify", no matter what I put in the ssl_client_ca_* settings it seems Dovecot just ignores it. It does complain though, if I point it to a non-existent file, but not if I just fill the file with invalid cert data which can't be parsed. I end up getting in doubt whether it consults the cert data at all. I'm a bit at loss on how to debug this further, short of running it in gdb. "verbose_ssl" doesn't really say anything about the process of find a CA cert to check with. Have I misunderstood the config? /Peter
