search for: openssl_iostream_error

...itsize, DH_GENERATOR, NULL); +#else dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL); if (dh == NULL) { + success = 0; + } +#endif + + if (success == 0) { *error_r = t_strdup_printf( - "DH_generate_parameters(bits=%d, gen=%d) failed: %s", - bitsize, DH_GENERATOR, openssl_iostream_error()); + "DH_generate_parameters(bits=%d, gen=%d) failed: %s", + bitsize, DH_GENERATOR, openssl_iostream_error()); return -1; } -- If anybody knows the instruction on how to send patches, please let me know and I follow those instructions. Regards, Peter van der Does

...ned char *p; @@ -17,3 +15,13 @@ - dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL); + dsa = DSA_generate_parameters(bitsize, NULL, 0, NULL, NULL, NULL, NULL); + if (dsa == NULL) { + *error_r = t_strdup_printf( + "DSA_generate_parameters(bits=%d) failed: %s", + bitsize, openssl_iostream_error()); + return -1; + } + + dh = DSA_dup_DH(dsa); + DSA_free(dsa); + if (dh == NULL) { @@ -20,4 +28,4 @@ *error_r = t_strdup_printf( - "DH_generate_parameters(bits=%d, gen=%d) failed: %s", - bitsize, DH_GENERATOR, openssl_iostream_error()); + "DSA_dup_DH() failed: %s"...

...rent for LMTP than for IMAP or POP3) but I did not investigate this. I made the problem go away by making the following two changes: 1. The ssl_ctx_use_certificate_chain function now empties the OpenSSL error queue before doing its work by calling ERR_get_error() until the queue is empty. 2. The openssl_iostream_error function in a similar fashion empties the queue and returns only the error message for the most recent error (this prevent earlier errors from 'hiding' later/more relevant ones). After applying this second patch LMTP now works properly with certificate chains. Note that this patch makes pr...

...RATOR, NULL); +#else + success = 1; dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL); if (dh == NULL) { + success = 0; + } +#endif + + if (success == 0) { *error_r = t_strdup_printf( "DH_generate_parameters(bits=%d, gen=%d) failed: %s", bitsize, DH_GENERATOR, openssl_iostream_error()); --

..._generate_parameters(bitsize, DH_GENERATOR, NULL, NULL); > if (dh == NULL) { > + success = 0; > + } > +#endif > + > + if (success == 0) { > *error_r = t_strdup_printf( > "DH_generate_parameters(bits=%d, gen=%d) failed: %s", > bitsize, DH_GENERATOR, openssl_iostream_error()); > -- I encourage you to open pull request at https://github.com/dovecot/core/pulls Aki

...phersuites != NULL && strcmp(ctx_set->ciphersuites, set->ciphersuites) != 0) { if (SSL_set_ciphersuitesl(ssl_io->ssl, set->ciphersuites) == 0) { *error_r = t_strdup_printf( "Can't set ciphersuites to '%s': %s", set->ciphersuites, openssl_iostream_error()); return -1; } } #endif ... suggests that ciphersuite support exists. bug, checking in ./src/lib-master/master-service-ssl.c ... void master_service_ssl_ctx_init(struct master_service *service) { const struct master_service_ssl_settings *set; struct ssl_iostream_s...

...bool have_ca = FALSE; if (set->ca != NULL) { store = SSL_CTX_get_cert_store(ctx->ssl_ctx); - if (load_ca(store, set->ca, &xnames) < 0) { + if (load_ca(ctx->ssl_ctx, set->ca) < 0) { *error_r = t_strdup_printf("Couldn't parse ssl_ca: %s", openssl_iostream_error()); return -1; } - ssl_iostream_ctx_verify_remote_cert(ctx, xnames); + ssl_iostream_ctx_verify_remote_cert(ctx); have_ca = TRUE; } ca_file = set->ca_file == NULL || *set->ca_file == '\0' ? -------------- next part -------------- A non-text attachment was scrubbed... Na...