search for: dh_gener

In src/lib-ssl-iostream/iostream-openssl-params.c a call is made to DH_generate_parameters. This function has been deprecated since OpenSSL 0.9.8. With OpenSSL 1.1 compilation will throw an error. Not sure how to send patches, I don't even know if the patch I wrote actually works (I don't program in C, but gave it a shot anyway) but below is the patch. --- a/src/l...

...arams.c +++ b/src/lib-ssl-iostream/iostream-openssl-params.c @@ -13,10 +13,19 @@ generate_dh_parameters(int bitsize, buffer_t *output, const char **error_r) { DH *dh; unsigned char *p; - int len, len2; + int len, len2, success; +#if OPENSSL_VERSION_NUMBER >= 0x00908000L + success = DH_generate_parameters_ex(dh, bitsize, DH_GENERATOR, NULL); +#else + success = 1; dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL); if (dh == NULL) { + success = 0; + } +#endif + + if (success == 0) { *error_r = t_strdup_printf( "DH_generate_parameters(bits=%d, gen=%d) failed:...

...penssl-params.c > @@ -13,10 +13,19 @@ generate_dh_parameters(int bitsize, buffer_t *output, const char **error_r) > { > DH *dh; > unsigned char *p; > - int len, len2; > + int len, len2, success; > > +#if OPENSSL_VERSION_NUMBER >= 0x00908000L > + success = DH_generate_parameters_ex(dh, bitsize, DH_GENERATOR, NULL); > +#else > + success = 1; > dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL); > if (dh == NULL) { > + success = 0; > + } > +#endif > + > + if (success == 0) { > *error_r = t_strdup_printf( >...

...------------------------------------------------------------------ --- iostream-openssl-params.c~ Tue Nov 3 16:08:38 2015 +++ iostream-openssl-params.c Tue Nov 3 15:43:39 2015 @@ -6,5 +6,2 @@ -/* 2 or 5. Haven't seen their difference explained anywhere, but 2 is the - default.. */ -#define DH_GENERATOR 2 @@ -14,2 +11,3 @@ DH *dh; + DSA *dsa; unsigned char *p; @@ -17,3 +15,13 @@ - dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL); + dsa = DSA_generate_parameters(bitsize, NULL, 0, NULL, NULL, NULL, NULL); + if (dsa == NULL) { + *error_r = t_strdup_printf( + "DSA_gen...

...liasing=2 -MT iostream-openssl-params.lo -MD -MP -MF .deps/iostream-openssl-params.Tpo -c iostream-openssl-params.c -fPIC -DPIC -o .libs/iostream-openssl-params.o ^[[91miostream-openssl-params.c: In function 'generate_dh_parameters': ^[[0m^[[91miostream-openssl-params.c:18:2: warning: 'DH_generate_parameters' is deprecated [-Wdeprecated-declarations] dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL); ^~ ^[[0m^[[91mIn file included from /usr/include/openssl/dh.h:13:0, from /usr/include/openssl/dsa.h:31, from /usr/include/openssl/x509.h...

...but when DH generator fails, ssl-params hangs forever in io_loop_run: __epoll_wait_nocancel() io_loop_handler_run(..) at ioloop-epoll.c:176 io_loop_run(..) at ioloop.c:406 master_service_run(..) at master-service.c:566 main(..) at main.c:156 Getting system in FIPS mode can be a little tricky, but DH_generator simulated failure can do the trick. Just change ssl-params/ssl-params-openssl.c:generate_dh_paramaters:39 - if (dh == NULL) { + if (1 || dh == NULL) { and when you run ssl-params (with no ssl-parameters.dat), it hangs. Let me know if you need more information. Regards, Michal H...

> On Apr 25, 2017, at 4:30 PM, Peter van der Does <peter at avirtualhome.com> wrote: > > The problem with making the Dovecot check for libmysqlclient.so.20 would > be that you have have to make sure older/newer packages are also > supported. The 20 extension is subject to changes. > > If I check the Oracle DEB file for Debian 9, it seems they do use the > name