#ssl_cert_file = /etc/ssl/certs/dovecot.pem
#ssl_key_file = /etc/ssl/private/dovecot.pem
+# File containing trusted SSL certificate authorities. Usually not needed.
+#ssl_ca_file =
+
+# Require client to send a valid certificate, otherwise fail the SSL handshake.
+#ssl_verify_client_cert = no
+
# SSL parameter file. Master process generates this file for login processes.
# It contains Diffie Hellman and RSA parameters.
#ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat
if (SSL_CTX_need_tmp_RSA(ssl_ctx))
SSL_CTX_set_tmp_rsa_callback(ssl_ctx, ssl_gen_rsa_key);
+ if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) {
+ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER |
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
+ SSL_VERIFY_CLIENT_ONCE, NULL);
+ }
+
/* PRNG initialization might want to use /dev/urandom, make sure it
does it before chrooting. */
if (RAND_bytes(&buf, 1) != 1)
env_put(t_strconcat("SSL_CIPHER_LIST=",
set->ssl_cipher_list, NULL));
}
+ if (set->ssl_verify_client_cert)
+ env_put("SSL_VERIFY_CLIENT_CERT=1");
}
if (set->disable_plaintext_auth)
DEF(SET_STR, ssl_parameters_file),
DEF(SET_STR, ssl_parameters_regenerate),
DEF(SET_STR, ssl_cipher_list),
+ DEF(SET_BOOL, ssl_verify_client_cert),
DEF(SET_BOOL, disable_plaintext_auth),
DEF(SET_BOOL, verbose_ssl),
MEMBER(ssl_parameters_file) "ssl-parameters.dat",
MEMBER(ssl_parameters_regenerate) 24,
MEMBER(ssl_cipher_list) NULL,
+ MEMBER(ssl_verify_client_cert) FALSE,
MEMBER(disable_plaintext_auth) TRUE,
MEMBER(verbose_ssl) FALSE,
const char *ssl_parameters_file;
unsigned int ssl_parameters_regenerate;
const char *ssl_cipher_list;
+ int ssl_verify_client_cert;
int disable_plaintext_auth;
int verbose_ssl;
projects / thirdparty / dovecot / core.git / commitdiff
