From: Aki Tuomi Date: Mon, 18 Sep 2017 12:27:38 +0000 (+0300) Subject: login-common: Use HAproxy provided proxy.ssl information X-Git-Tag: 2.3.0.rc1~828 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b6fbc235f981b10333403e2fd6d333fd351c7a3c;p=thirdparty%2Fdovecot%2Fcore.git login-common: Use HAproxy provided proxy.ssl information If the connection is proxied via system that can terminate ssl for us, such as HAproxy, use that information only. --- diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c index 7686446d1a..5725770691 100644 --- a/src/login-common/client-common.c +++ b/src/login-common/client-common.c @@ -190,10 +190,16 @@ client_create(int fd, bool ssl, pool_t pool, client->real_remote_ip = conn->real_remote_ip; client->real_remote_port = conn->real_remote_port; client->listener_name = p_strdup(client->pool, conn->name); - client->trusted = client_is_trusted(client); - client->secured = ssl || client->trusted || - net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip); + + if (conn->proxied) { + client->secured = conn->proxy.ssl || client->trusted; + client->local_name = conn->proxy.hostname; + client->client_cert_common_name = conn->proxy.cert_common_name; + } else { + client->secured = ssl || client->trusted || + net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip); + } client->proxy_ttl = LOGIN_PROXY_TTL; if (last_client == NULL) diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h index 8250404e9b..b633d0e27a 100644 --- a/src/login-common/client-common.h +++ b/src/login-common/client-common.h @@ -147,6 +147,8 @@ struct client { const struct master_service_ssl_settings *ssl_set; const char *session_id, *listener_name, *postlogin_socket_path; const char *local_name; + const char *client_cert_common_name; + string_t *client_id; string_t *forward_fields; diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c index 812d25c6cc..b27232e629 100644 --- a/src/login-common/sasl-server.c +++ b/src/login-common/sasl-server.c @@ -355,8 +355,10 @@ void sasl_server_auth_begin(struct client *client, info.mech = mech->name; info.service = service; info.session_id = client_get_session_id(client); - info.cert_username = client->ssl_proxy == NULL ? NULL : - ssl_proxy_get_peer_name(client->ssl_proxy); + if (client->client_cert_common_name != NULL) + info.cert_username = client->client_cert_common_name; + else if (client->ssl_proxy != NULL) + info.cert_username = ssl_proxy_get_peer_name(client->ssl_proxy); info.flags = client_get_auth_flags(client); info.local_ip = client->local_ip; info.remote_ip = client->ip;