On Wed, Nov 27, 2013 at 05:26:09AM +0100, Philippe Lel?dy wrote:
> Le 22/11/13 18:22, Philippe Lelidy a icrit :
> >-3- I have a S/MIME certificate in my UA, but lacks ca file, so I get:
> >
> >debug: lka: X509 verify: unable to get local issuer certificate
> >
> >Hence, it seems that OpenSMTPD has this undocumented feature that
> >it is able to authenticate using X509 certificate. Will give it a
> >try.
> >
> >
> SUCCESS.
>
> It was my misunderstanding of OpenSSL and CA. Now it is OK :
>
> smtp-in: Client certificate verification succeeded on session
> b28ae6965be3335d
>
> The message debug: lka: X509 verify: unable to get local issuer certificate
> was an OpenSSL message. What I did for debugging is
>
> openssl verify -CAfile sub.class1.client.bundle.pem my-mine.cert
>
> It is important to understand that the pki smtpd.conf parameters
> certificate and key are here for the client trust the server but the
> ca parameter is here for the server to trust the certificat of the
> client. Hence I had to make a bundle with sub.class1.client.ca and
> not the sub.class1.server.ca !
>
> It is very clever that OpenSMTPD messages about SSL be exactcly the
> messages issued by OpenSSL, it helps debugging.
>
> But the certicate validation is not yet used at all by OpenSMTPD
> auth ! Only the password matters.
>
Actually you can force both by having a listen line that states:
listen on all port submission tls-require verify auth <mycreds>
this way your submission port will use tls-require and verify the
certificate before the user even gets a chance to authenticate
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
