hi all, i've dovecot TLS working correctly w/ locally generated *RSA* CA cert, domain privkey & self-signed domain cert. to that end, my dovecot.conf includes: ssl_key_file = /var/Security/mail.testdomain.com.privkey.rsa.pem ssl_cert_file = /var/Security/mail.testdomain.com.cert.rsa.pem ssl_ca_file = /var/Security/MyCertificateAuthority.CA.cert.rsa.pem ssl_verify_client_cert = no ssl_cipher_list = ALL:!SSLv2:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH however, if I try to setup for DSA use: ssl_key_file = /var/Security/mail.testdomain.com.privkey.dsa.pem ssl_cert_file = /var/Security/mail.testdomain.com.cert.dsa.pem ssl_ca_file = /var/Security/MyCertificateAuthority.CA.cert.dsa.pem ssl_verify_client_cert = no ssl_parameters_file = /var/Security/dsaparam.pem ssl_parameters_regenerate = 0 an attempt @ dovecot launch results in a logged error of: dovecot: Sep 11 11:58:43 Error: imap-login: Can't load private key file /var/Security/mail.testdomain.com.privkey.dsa.pem: error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key wherein it looks like dovecot is _still_ seeking an RSA key. fwiw, % cat /var/Security/mail.testdomain.com.privkey.dsa.pem -----BEGIN DSA PRIVATE KEY----- ... i've searched the dovecot wiki, and although the _only_ reference i find to dsa/diffie is @: http://wiki.dovecot.org/moin.cgi/MainConfig " ... SSL parameter file. Master process generates this file for login processes. It contains Diffie Hellman and RSA parameters. ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat ... " it does seem to imply that DSA certs are, at least, supported. comments? cheers, richard -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20050911/2cefc050/attachment.bin>
On Sun, 2005-09-11 at 12:52 -0700, OpenMacNews wrote:> dovecot: Sep 11 11:58:43 Error: imap-login: Can't load private key file > /var/Security/mail.testdomain.com.privkey.dsa.pem: error:0607907F:digital > envelope routines:EVP_PKEY_get1_RSA:expecting an rsa keyWell, I'm not sure why so many other programs seem to want to require RSA private keys (where I looked at examples how to use OpenSSL), but I think this patch fixes it (committing to CVS too): Index: src/login-common/ssl-proxy-openssl.c ==================================================================RCS file: /var/lib/cvs/dovecot/src/login-common/ssl-proxy-openssl.c,v retrieving revision 1.28 diff -u -r1.28 ssl-proxy-openssl.c --- src/login-common/ssl-proxy-openssl.c 18 Sep 2005 14:43:10 -0000 1.28 +++ src/login-common/ssl-proxy-openssl.c 18 Sep 2005 15:55:35 -0000 @@ -487,8 +487,8 @@ certfile, ssl_last_error()); } - if (SSL_CTX_use_RSAPrivateKey_file(ssl_ctx, keyfile, - SSL_FILETYPE_PEM) != 1) { + if (SSL_CTX_use_PrivateKey_file(ssl_ctx, keyfile, + SSL_FILETYPE_PEM) != 1) { i_fatal("Can't load private key file %s: %s", keyfile, ssl_last_error()); } -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20050918/3b984771/attachment.bin>