On Tue, 2007-04-03 at 11:50 +0200, Johnny Chadda wrote: > Timo Sirainen wrote: > > Well, I'm not that big of an OpenSSL guru, but googling shows that with > > other software it's often a certificate configuration problem. > > > > Did you set ssl_ca_file and does the file contain a valid CA and CRL? > > Yes, the certificates are Ok. It works if I explicitly select which > client certificate to send to the server from the mail client. > > Normal users shouldn't have to do this though. It should be selected > based on which accepted CA names the server sends. It works fine in > Cyrus (which I will use if this does not work) and Postfix.
Does the attached patch fix it?
Index: src/login-common/ssl-proxy-openssl.c =================================================================== RCS file: /var/lib/cvs/dovecot/src/login-common/ssl-proxy-openssl.c,v retrieving revision 1.55 diff -u -r1.55 ssl-proxy-openssl.c --- src/login-common/ssl-proxy-openssl.c 18 Mar 2007 02:51:19 -0000 1.55 +++ src/login-common/ssl-proxy-openssl.c 3 Apr 2007 09:55:23 -0000 @@ -756,6 +756,8 @@ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_client_cert); + SSL_CTX_set_client_CA_list(ssl_ctx, + SSL_load_client_CA_file(cafile)); } /* PRNG initialization might want to use /dev/urandom, make sure it
signature.asc
Description: This is a digitally signed message part
