Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Document peer certificate fingerprinting #1170

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Document peer certificate fingerprinting #1170

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d0bd021
Document peer certificate fingerprinting
cmouse Dec 31, 2024
03e045c
settings: Update ssl_request_client_cert_changed setting
cmouse Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion data/settings.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10265,6 +10265,17 @@ The most common choices are \`commonName\` and \`x500UniqueIdentifier\`.
Note: [[setting,auth_ssl_username_from_cert]] MUST be enabled.`
},

ssl_peer_certificate_fingerprint_hash: {
default: '',
seealso: [ 'ssl', '[[link,ssl_configuration]]', '[[link,passdb_check_client_fp]]' ],
values: setting_types.STRING,
text: `
An OpenSSL digest algorithm name to use to hash peer certificate names.
Setting this value enables \`ssl_client_cert_fp\` and \`ssl_client_cert_pubkey_fp\`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

enables [[link,passdb_check_client_fp,ssl_client_cert_fp and ssl_client_cert_pubkey_fp]]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

um, no, those are variables, not extra fields

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should say %{ssl_client_cert_fp} and %{ssl_client_cert_pubkey_fp} variables then

Also, I thought this setting was required for check_client_fp to work? That should be mentioned/linked in another sentence then.

availability in [[setting,login_log_format_elements]] and also in authentication
variables. Weak algorithms are explicitly blacklisted, such as MD5.`,
},

ssl_cipher_list: {
default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH (for ssl_server, empty for ssl_client)',
seealso: [ 'ssl', 'ssl_cipher_suites', 'ssl_min_protocol', '[[link,ssl_configuration]]' ],
Expand Down Expand Up @@ -10553,10 +10564,15 @@ Renamed from \`ssl_verify_client_cert\` setting.`
'auth_ssl_require_client_cert',
'[[link,ssl_configuration]]',
],
values: setting_types.BOOLEAN,
values: setting_types.ENUM,
values_enum: ['no', 'yes', 'any-cert'],
text: `
If enabled, the imap/pop3/etc. client is requested to send an SSL certificate.

You can accept any certificate with \'any-cert\' value, but you must configure
authentication to check the client certificate with [[link,passdb_check_client_fp,check_client_fp]] (or
variant) extra field. See [[link,passdb_check_client_fp]].

Note: This setting doesn't yet require the certificate to be valid or
to even exist. See [[setting,auth_ssl_require_client_cert]].`
},
Expand Down
36 changes: 36 additions & 0 deletions docs/core/config/auth/passdb.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ dovecotlinks:
passdb_result_values:
hash: result-values
text: "passdb: Result Values"
passdb_check_client_fp:
hash: check-client-fp
text: "passdb: check_client_fp Extra field"
---

# Password Databases (`passdb`)
Expand Down Expand Up @@ -442,6 +445,39 @@ a load spike of everybody getting logged in at exactly the same time.

Do not perform any authentication, just store extra fields if user is found.

##### `check_client_fp`

Match client certificate or public key fingerprint.

Requires configuring [[setting,ssl_peer_certificate_fingerprint_hash]], [[setting,auth_ssl_require_client_cert]],
and [[setting,ssl_server_request_client_cert]] to require a client cert.

This is intended to replace CA certificates with verifying client certificates using fingerprints, or to enforce
that particular public key is being used. If you are using CA certificates,
you can only fail authentication if the value is non-empty and does not match. If CA certificates are not used, then
if no passdb matches the fingerprint, then authentication is failed.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a bit strange text. "With CA authentication can only fail, but with fingerprints authentication is failed." so kind of the same. Also now it sounds like this is the main reason for using fingerprints. Should it be rather something like:

This can be used for verifying client certificates using per-user fingerprints stored in a database rather than relying on CA certificates.

If the fingerprints don't match, it's treated as a passdb failure ([[setting,passdb_result_failure]]). This allows the next passdb to continue authenticating the user in a different way. If CA certificates are used, the authentication can only fail without a fallback.

Although now I'm a bit confused about your sentence above "you can only fail authentication if the value is non-empty and does not match". Do you mean if CA certificates are used together with check_client_fp? Is there some point in doing that? Or what is this "value is non-empty" you refer to?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i clarified the text a bit. the only point is to do public key pinning, so you can be sure that the client is not using a cert with similar username but issued by some other CA or reissued to different public key.


The failure is per-passdb, so next passdb can continue authenticating the user.

::warning If CA certificates are not used, a passdb must provide a valid check_client_fp (or variant) to validate the
client certificate. If none is provided, the authentication will fail.

##### `check_client_cert_fp`

Match client certificate fingerprint. See [[setting,ssl_peer_certificate_fingerprint_hash]].
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about:

  • Match client certificate (but not public key) fingerprint.
  • See [[link,passdb_check_client_fp]]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think client certificate contains public key always, so it is implicitly checked.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I intended to differentiate the different check_client_*_fp fields with that comment. If it public key fingerprint is somehow implicitly checked, how are check_client_cert_fp and check_client_fp any different?


Certificate fingerprint is calculated by taking hash value of DER encoded X509 client certificate.

See [[link,passdb_check_client_fp]]

##### `check_client_pubkey_fp
`
Match client public key fingerprint (but not certificate). See [[setting,ssl_peer_certificate_fingerprint_hash]].

Public key fingerprint is calculated by taking hash value of DER encoded certificate public key.

See [[link,passdb_check_client_fp]]

#### `forward_<anything>`

In a proxy, pass the variable to the next hop (backend) as
Expand Down
4 changes: 4 additions & 0 deletions docs/core/settings/variables.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,8 @@ See also:
| `ssl_security` | TLS session security string. If HAProxy is configured and it terminated the TLS connection, contains "(proxied)". |
| `ssl_ja3` | [[link,ssl_ja3]] composed from TLS Client Hello. |
| `ssl_ja3_hash` | MD5 hash from [[link,ssl_ja3]] composed from TLS Client Hello. |
| `ssl_client_cert_fp` | [[setting,ssl_peer_certificate_fingerprint_hash]] of client certificate. |
| `ssl_client_cert_pubkey_fp` | [[setting,ssl_peer_certificate_fingerprint_hash]] of client certificate public key. |
| `mail_pid` | PID for process that handles the mail session post-login. |
| `original_user` | Same as `user`, except using the original username the client sent before any changes by auth process. With master user logins (also with [[setting,auth_master_user_separator]] based logins),this contains only the original master username. |
| `listener` | Socket listener name as specified in config file, which accepted the client connection. |
Expand Down Expand Up @@ -322,6 +324,8 @@ See also:
| `password` | Cleartext password from cleartext authentication mechanism. |
| `secured` | "TLS" with established SSL/TLS connections, "secured" with secured connections (see: [[setting,ssl]]). Otherwise empty. |
| `ssl_ja3_hash` | MD5 hash from JA3 string composed from TLS Client Hello. |
| `ssl_client_cert_fp` | [[setting,ssl_peer_certificate_fingerprint_hash]] of client certificate. |
| `ssl_client_cert_pubkey_fp` | [[setting,ssl_peer_certificate_fingerprint_hash]] of client certificate public key. |
| `cert` | "valid" if client had sent a valid client certificate, otherwise empty. |
| `login_user` | For master user logins: Logged in user@domain. |
| `master_user` | For master user logins: The master username. |
Expand Down