search for: ssl_crypto_device

...1 + src/login-common/ssl-proxy-openssl.c | 15 ++++++++++++++- 4 files changed, 18 insertions(+), 1 deletion(-) --- a/src/config/all-settings.c +++ b/src/config/all-settings.c @@ -308,6 +308,7 @@ struct master_service_ssl_settings { const char *ssl_cert_username_field; const char *ssl_crypto_device; const char *ssl_options; + const char *ssl_lowest_version; bool ssl_verify_client_cert; bool ssl_require_crl; --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -26,6 +26,7 @@ static const struct setting_define maste DEF(SET_STR, ssl_...

...net_listener imaps { port = 993 ssl = yes } } service lmtp { process_min_avail = 10 unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert = </etc/letsencrypt/live/thetradinghall.com/fullchain.pem ssl_crypto_device = dynamic ssl_key = </etc/letsencrypt/live/thetradinghall.com/privkey.pem ssl_protocols = !SSLv2 !SSLv3 userdb { args = uid=5000 gid=5000 home=/storage/vmail/%d/%n driver = static } verbose_ssl = yes protocol lmtp { hostname = thetradinghall.com postmaster_address = postmaster at thetrad...

On 27 August 2017 08:32:06 CEST, Timo Sirainen <tss at iki.fi> wrote: >> DEF(SET_STR, ssl_protocols), >> DEF(SET_STR, ssl_cert_username_field), >> DEF(SET_STR, ssl_crypto_device), >> + DEF(SET_STR, ssl_lowest_version), > >Does it really require a new setting? Couldn't it use the existing >ssl_protocols setting? You need to set a minimal version. SSL_PROTOLS can be set tls1.0 and tls1.2 which avoids tls1.1. Not saying that it is a good thing to do. Also y...

...word = "", .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", - .ssl_protocols = "!SSLv2", +#ifdef SSL_TXT_SSLV2 + .ssl_protocols = "!SSLv2 !SSLv3", +#else + .ssl_protocols = "!SSLv3", +#endif .ssl_cert_username_field = "commonName", .ssl_crypto_device = "", .ssl_verify_client_cert = FALSE, -- 2.10.1

...!PSK: !RC4:!ADH:!LOW at STRENGTH # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = # SSL extra options. Currently supported options are: # no_compression - Disable compression. # no_ticket - Disable SSL session tickets. #ssl_options = =========================== # openssl x509 -dates -in mydomain.com.crt notBefore=Nov 11 16:31:35 2020 GMT notAfter=Nov 11 16:31:35 2022 GMT...

Hi, I came up with the following patch while trying to figure out a good solution for the situation described in Debian bug #871987[1]. In short, OpenSSL in Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that unless an application requests otherwise, only TLSv1.2 is supported. In the world of e-mail this is seemingly an issue, as there are still way too many old clients

...itself supports also TLS1.1 and TLS1.0. > If the admin decides to also support TLS1.[01] users he can then enable > the lower protocol version in case the users can't update their system. .. > DEF(SET_STR, ssl_protocols), > DEF(SET_STR, ssl_cert_username_field), > DEF(SET_STR, ssl_crypto_device), > + DEF(SET_STR, ssl_lowest_version), Does it really require a new setting? Couldn't it use the existing ssl_protocols setting?

On 2017-08-27 13:46, Sebastian Andrzej Siewior wrote: > On 27 August 2017 08:32:06 CEST, Timo Sirainen <tss at iki.fi> wrote: >>> DEF(SET_STR, ssl_protocols), >>> DEF(SET_STR, ssl_cert_username_field), >>> DEF(SET_STR, ssl_crypto_device), >>> + DEF(SET_STR, ssl_lowest_version), >> Does it really require a new setting? Couldn't it use the existing >> ssl_protocols setting? > You need to set a minimal version. SSL_PROTOLS can be set tls1.0 and tls1.2 which avoids tls1.1. Not saying that it is a good thing...

...order of ciphers over client's. > > #ssl_prefer_server_ciphers = no > > > > # Prefer the server's order of ciphers over client's. > > #ssl_prefer_server_ciphers = no > > # SSL crypto device to use, for valid values run "openssl engine" > > #ssl_crypto_device = > > > > # SSL extra options. Currently supported options are: > > # no_compression - Disable compression. > > # no_ticket - Disable SSL session tickets. > > #ssl_options = > > > > =========================== > > # openssl x509 -dates -in mydom...

...her small issues. Many of the fixed bugs exist also in v2.0, but since they are so minor I didn't bother backporting the fixes. As new features since v2.1.beta1 there are the things I did also for v2.0.16, and: * ssl_client_cert/key: Proxying can now send SSL certificate to backend server * ssl_crypto_device for enabling hardware encryption * SCRAM-SHA-1 authentication mechanism support by Florian Zeitz * passdb/userdb checkpassword: Export all auth %variables to AUTH_* environment. * maildir_broken_filename_sizes setting for people upgrading from other maildir servers that wrote tons of broken S=&l...

...her small issues. Many of the fixed bugs exist also in v2.0, but since they are so minor I didn't bother backporting the fixes. As new features since v2.1.beta1 there are the things I did also for v2.0.16, and: * ssl_client_cert/key: Proxying can now send SSL certificate to backend server * ssl_crypto_device for enabling hardware encryption * SCRAM-SHA-1 authentication mechanism support by Florian Zeitz * passdb/userdb checkpassword: Export all auth %variables to AUTH_* environment. * maildir_broken_filename_sizes setting for people upgrading from other maildir servers that wrote tons of broken S=&l...

I run dovecot + postfix as my email server. Everything is working as expected, but I see an error in the dovecot logs: lmtp(7331): Error: SSL context initialization failed, disabling SSL: ENGINE_init(dynamic) failed Dovecot is running and emails are OK. I wonder why this error and how I can fix it? I see it is a SSL issue but no idea in which direction to look. Thank you for help

...-postlogin { executable = script-login -d /usr/local/bin/postlogin.sh } service imap { executable = imap imap-postlogin } service pop3-login { inet_listener pop325 { port = 25110 } } service pop3 { executable = pop3 imap-postlogin } ssl_cert = </var/www/mailadmin/ssl/cert.pem ssl_crypto_device = dynamic ssl_key = </var/www/mailadmin/ssl/mailx.hosts.net.nz.key userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } userdb { args = /etc/dovecot/dovecot-sql-cram.conf.ext driver = sql } verbose_proctitle = yes protocol imap { imap_capability = +XHOST_brio imap_l...

...user = } user = $default_internal_user vsz_limit = 18446744073709551615 B } shutdown_clients = yes ssl = required ssl_ca = ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_cert_username_field = commonName ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_client_cert = ssl_client_key = ssl_crypto_device = ssl_key = </etc/pki/dovecot/private/dovecot.pem ssl_key_password = ssl_parameters_regenerate = 1 weeks ssl_protocols = !SSLv2 ssl_verify_client_cert = no stats_command_min_time = 1 mins stats_domain_min_time = 12 hours stats_ip_min_time = 12 hours stats_memory_limit = 16 M stats_session_min_ti...

Hello, I tried to find out how about to use the hardware crypto engines under Solaris (Sun Fire T2000). It seems, that its not just a compilation issue: > For operations that are to be offloaded, it is necessary to restrict use to subset > of OpenSSL functions (the EVP_ functions) and explicitly indicate the use of the PKCS11 > engine; something like the following works for bulk

..._user vsz_limit = 18446744073709551615 B } shutdown_clients = yes ssl = yes ssl_ca = ssl_cert = </var/qmail/control/servercert.pem ssl_cert_username_field = commonName ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_client_ca_dir = ssl_client_ca_file = ssl_client_cert = ssl_client_key = ssl_crypto_device = ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_key_password = ssl_parameters_regenerate = 0 ssl_prefer_server_ciphers = no ssl_protocols = !SSLv2 ssl_require_crl = yes ssl_verify_client_cert = no state_dir = /var/lib/dovecot stats_command_min_time = 1 mins s...

Hi, After upgrading to dovecot 2.1.12, I see a lot of these errors: # 2.1.12: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-279.14.1.el6.x86_64 x86_64 CentOS release 6.3 (Final) # Filesystem: ext4 with mdbox storage Dec 10 15:21:04 mail dovecot: imap(user at example.org): Error: Cached message size smaller than expected (5010 < 8192) Dec 10 15:21:04 mail dovecot: imap(user at example.org):

...rvice_count = 0 type = user = $default_internal_user vsz_limit = 18446744073709551615 B } shutdown_clients = yes ssl = yes ssl_ca = ssl_cert = </etc/dovecot/dovecot.pem ssl_cert_username_field = commonName ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_client_cert = ssl_client_key = ssl_crypto_device = ssl_key = </etc/dovecot/private/dovecot.pem ssl_key_password = ssl_parameters_regenerate = 1 weeks ssl_protocols = !SSLv2 ssl_require_crl = yes ssl_verify_client_cert = no stats_command_min_time = 1 mins stats_domain_min_time = 12 hours stats_ip_min_time = 12 hours stats_memory_limit = 16 M...

...0 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B } shutdown_clients = yes ssl = yes ssl_ca = ssl_cert = </etc/ssl/certs/ifanetcertkey.pem ssl_cert_username_field = commonName ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_client_cert = ssl_client_key = ssl_crypto_device = ssl_key = </etc/ssl/certs/ifanetcertkey.pem ssl_key_password = ssl_parameters_regenerate = 1 weeks ssl_protocols = !SSLv2 ssl_require_crl = yes ssl_verify_client_cert = no stats_command_min_time = 1 mins stats_domain_min_time = 12 hours stats_ip_min_time = 12 hours stats_memory_limit = 16 M...

...user = $default_internal_user vsz_limit = 18446744073709551615 B } shutdown_clients = yes ssl = yes ssl_ca = </etc/ssl/gandi.pem ssl_cert = </etc/ssl/cert-azuria.net.crt ssl_cert_username_field = commonName ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_client_cert = ssl_client_key = ssl_crypto_device = ssl_key = </etc/ssl/azuria.key ssl_key_password = ssl_parameters_regenerate = 1 weeks ssl_protocols = !SSLv2 ssl_require_crl = yes ssl_verify_client_cert = no stats_command_min_time = 1 mins stats_domain_min_time = 12 hours stats_ip_min_time = 12 hours stats_memory_limit = 16 M stats_session_m...