Option auth_ssl_username_from_cert

Question

Option auth_ssl_username_from_cert

britus opened this issue 2 years ago · 1 comments

Option 'auth_ssl_username_from_cert = yes' does nothing in Dovecot. I think this was written in documentation but not implmented.
Like my log:
dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write key exchange [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate request [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done [xx.xx.xx.xx]
dovecot: imap-login: Valid certificate: /C=DE/ST=Bavaria/L=Munich/O=Empire of Fun/OU=EoF Community/CN=Empire of Fun Root CA: user=<>, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, TLS handshaking
dovecot: imap-login: Valid certificate: /C=DE/ST=Bavaria/L=Munich/O=Empire of Fun/OU=EoF Community/CN=Empire of Fun Intermediate CA: user=<>, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, TLS handshaking
dovecot: imap-login: Valid certificate: /C=DE/ST=Bavaria/L=Munich/O=Empire of Fun/OU=EoF Community/CN=user-test@testdomain.dom/emailAddress=user-test@testdomain.dom: user=<>, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, TLS handshaking
dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS read client certificate [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client certificate [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client key exchange [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read certificate verify [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read change cipher spec [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [xx.xx.xx.xx]
dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [xx.xx.xx.xx]
dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, TLS
---------------------------------------------------------------------^^ No Username (ssl_cert_username_field = commonName)
dovecot: imap-login: Debug: SSL error: Disconnected
dovecot: imap-login: Debug: SSL alert: close notify [xx.xx.xx.xx]

Answer 1 · 2022-12-29T07:48:05.000Z

Hi!

This is not our support channel, please use dovecot@dovecot.org for community support questions. The option is definately implemented, and we have actual tests that verify it's functionality.