Re: [Dovecot] imap-login hangs after receiving revoked SSL certificate
Hello again 03.12.2013 00:41, Алексей Прокопчук пишет: > I have own test CA based > on EJBCA. Server and all client certificates which I tried to test were > issued by this CA. Freshest CRL is embedded into ca.pem file which used > as ca certificate in dovecot.conf. > Now I'm quite confused: apache works with these certificates as > expected: accepts valid and refuses revoked. But with dovecot which > yesterday accepts at least one certificate (which I revoked for testing) > today rejects all others from same CA. Thanks for attention and excuse me that occupied your time. The problem was in CRL generated by EJBCA. Apparently, EJBCA and openSSL is not entirely compatible. When I remove CRL distribution point field from my EJBCA generated CRL, all works as expected: valid certificates accepted, revoked certificates rejected. And no problem with CRL scope, so fix from first reply doesn't needed, all works with initially installed openssl-1.0.1c With regard to apache I think it checks certificate validity with OCSP. And I doesn't embed CRL in ca certificate for apache. Perhaps it would be nice to implement OCSP validity checking together with embedded CRL with possibility to choose which one will be used. Thanks again, especially for a hint about openssl scope loop problem. With best regards, Alexey Prokopchuk (AP8686-RIPE)
Re: [Dovecot] imap-login hangs after receiving revoked SSL certificate
Hello again. 02.12.2013 18:19, Timo Sirainen пишет: > What OpenSSL version are you using? > > This looks like the same issue: > > http://rt.openssl.org/Ticket/Display.html?id=3090&user=guest&pass=guest > > Where the fix is in: > > http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9ce489e4f79fc836760b670ffe > > Not sure if Dovecot should be doing something different here, or maybe > working around that bug. I think Postfix has the same problem. I used openssl version 1.0.1c when wrote first message. Following your advice, I tried to apply patch from fix above on openssl-1.0.1e Now no hangs but dovecot assumes any user certificate as invalid. And very interesting. First dovecot reports that certificate is invalid, and immediately thereafter reports that same certificate is valid. And finally reports "client sent an invalid cert". I have own test CA based on EJBCA. Server and all client certificates which I tried to test were issued by this CA. Freshest CRL is embedded into ca.pem file which used as ca certificate in dovecot.conf. Here is the log: -- Dec 3 00:10:25 mail dovecot: imap-login: Invalid certificate: Different CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 3 00:10:25 mail dovecot: imap-login: Invalid certificate: unable to get certificate CRL: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 3 00:10:25 mail dovecot: imap-login: Valid certificate: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 3 00:10:25 mail dovecot: imap-login: Valid certificate: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro Dec 3 00:10:25 mail dovecot: imap-login: Disconnected (client sent an invalid cert): user=<>, method=PLAIN, rip=192.168.200.55, lip=192.168.200.1, TLS, session= -- Now I'm quite confused: apache works with these certificates as expected: accepts valid and refuses revoked. But with dovecot which yesterday accepts at least one certificate (which I revoked for testing) today rejects all others from same CA. Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)
Re: [Dovecot] imap-login hangs after receiving revoked SSL certificate
On 2.12.2013, at 15.41, Алексей Прокопчук wrote: > I use dovecot-2.1.16 on Gentoo Linux amd64. > > All works fine with valid certificates. But if I submit revoked > certificate, dovecot doesn't send error or success messages to mail > client, process 'imap-login' eats 100% CPU and completely hangs. Only > SIGKILL can terminate it. When dovecot receives revoked certificate, > following messages appears in the log: > > -- > Dec 2 13:50:26 mail dovecot: imap-login: Invalid certificate: > certificate revoked: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro > Dec 2 13:50:26 mail dovecot: imap-login: Invalid certificate: Different > CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA > Dec 2 13:50:39 mail last message repeated 17950 times > --- What OpenSSL version are you using? This looks like the same issue: http://rt.openssl.org/Ticket/Display.html?id=3090&user=guest&pass=guest Where the fix is in: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9ce489e4f79fc836760b670ffe Not sure if Dovecot should be doing something different here, or maybe working around that bug. I think Postfix has the same problem.
[Dovecot] imap-login hangs after receiving revoked SSL certificate
Good time of the day! My English is not very good, excuse me if I said something wrong. I use dovecot-2.1.16 on Gentoo Linux amd64. I need to setup dovecot (imap and pop3) for SSL and non-SSL connection simultaneously. For SSL connections client must submit a valid SSL certificate. Now SSL part of dovecot.conf looks like this: - ssl = yes ssl_cert =