search for: manmaster

...rainpoolP512r1 ] > [ openssl s_client -connect localhost:5555 -curves brainpoolP512r1 ] > > I am not familiar really with the OpenSSL API and only roughly gather > that the app (dovecot) would have to make the API call [ > SSL_CTX_set1_groups_list ] > (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html) > in order to support those curves. > > Whoops. We have a setting called `ssl_curve_list` in dovecot, and I tried using that when I was testing. Turns out that there is a bug preventing that setting from being used. If you are compiling yourself, you can use...

>>>> I did some local testing and it seems that you are using a curve >>>> that is not acceptable for openssl as a server key. >>>> I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem >>>> -port 5555 >>>> using cert generated with brainpool. Everything works if I use >>>> prime256v1 or secp521r1. This is a

> Seems like your firewall could redirect to a different port that doesn't > offer starttls. Yes, of course. But that would require multiple ports, making the client configuration cumbersome and error-prone. Michael

....key.pem -port 5555 -curves brainpoolP512r1 ] [ openssl s_client -connect localhost:5555 -curves brainpoolP512r1 ] I am not familiar really with the OpenSSL API and only roughly gather that the app (dovecot) would have to make the API call [ SSL_CTX_set1_groups_list ] (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html) in order to support those curves.

...; [ openssl s_client -connect localhost:5555 -curves brainpoolP512r1 ] >> >> I am not familiar really with the OpenSSL API and only roughly gather >> that the app (dovecot) would have to make the API call [ >> SSL_CTX_set1_groups_list ] >> (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html) >> in order to support those curves. >> >> > Whoops. > > We have a setting called `ssl_curve_list` in dovecot, and I tried using > that when I was testing. Turns out that there is a bug preventing that > setting from being used. If you...

...-connect localhost:5555 -curves brainpoolP512r1 ] >>> >>> I am not familiar really with the OpenSSL API and only roughly gather >>> that the app (dovecot) would have to make the API call [ >>> SSL_CTX_set1_groups_list ] >>> (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html) >>> in order to support those curves. >>> >>> >> Whoops. >> >> We have a setting called `ssl_curve_list` in dovecot, and I tried using >> that when I was testing. Turns out that there is a bug preventing that >>...

On Thu, Mar 10, 2016 at 12:30 PM, Osiris <dovecot at flut.demon.nl> wrote: > On 09-03-16 13:14, djk wrote: >> On 09/03/16 10:44, Florent B wrote: >>> Hi, >>> >>> I don't see any SSL configuration option in Dovecot to disable >>> "Client-initiated secure renegotiation". >>> >>> It is advised to disable it as it can

Well, what immediately stands out is: "FILE * open failed!" Have you triple checked that the full filepath is correct and that the user that Asterisk is running as has full permissions to access your valid certificate file? I have it working with microsip and a free TLS cert from LetsEncrypt. When I get to the PC with that on, I can write up what settings I've got if that helps?