Displaying 20 results from an estimated 34 matches for "ssl_ctx".
2015 Feb 11
2
[PATCH] Fix for client certificate validation does not work
...-0500
+++ dovecot-2.2.9/src/login-common/ssl-proxy-openssl.c 2015-02-11 00:32:19.262198000 -0500
@@ -951,54 +951,25 @@
return strstr(cert, "PRIVATE KEY---") != NULL;
}
-static void load_ca(X509_STORE *store, const char *ca,
- STACK_OF(X509_NAME) **xnames_r)
+static void load_ca(SSL_CTX *ssl_ctx, const char *ca)
{
- /* mostly just copy&pasted from X509_load_cert_crl_file() */
- STACK_OF(X509_INFO) *inf;
- X509_INFO *itmp;
- X509_NAME *xname;
- BIO *bio;
- int i;
-
- bio = BIO_new_mem_buf(t_strdup_noconst(ca), strlen(ca));
- if (bio == NULL)
- i_fatal("BIO_new_mem_buf()...
2013 Jul 06
1
[PATCH] login-common: Add support for ECDH/ECDHE cipher suites
...Jun 28 19:48:37 2013 +0300
+++ b/src/login-common/ssl-proxy-openssl.c Sat Jul 06 14:46:16 2013 +1000
@@ -119,6 +119,10 @@
const struct master_service_ssl_settings *ssl_set);
static void ssl_server_context_deinit(struct ssl_server_context **_ctx);
+static void ssl_proxy_ctx_set_crypto_params(SSL_CTX *ssl_ctx,
+ const struct master_service_ssl_settings *set);
+static int ssl_proxy_ctx_get_pkey_ec_curve_name(const struct master_service_ssl_settings *set);
+
static unsigned int ssl_server_context_hash(const struct ssl_server_context *ctx)
{
unsigned...
2014 Oct 19
3
Dovecote 1.2.17 poodle
Hi, how do I protect dovecot 1.2.17 against poodle?
Br
/Marc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141019/b4152487/attachment-0001.sig>
2012 Mar 20
1
IMAP and POP3 per SSL
...an be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
"The internet" has some workarounds for this problem. For example, in Apache webserver, you need to set
SSLHonorCipherOrder On
in apache config. This results in the following C-Code being executed:
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
This setting tells OpenSSL not to honor the Ciper Order sent from the client, but prefer it's own configured set of CipherSuites. According to Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured with this setti...
2017 Aug 26
3
[PATCH] Add support for lower TLS version than default
...char *ssl_options;
+ const char *ssl_lowest_version;
bool ssl_verify_client_cert;
bool ssl_require_crl;
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -1302,7 +1302,20 @@ ssl_server_context_init(const struct log
if (ctx->prefer_server_ciphers)
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols));
-
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ if (ssl_set->ssl_lowest_version) {
+ if (!strcmp(ssl_set->ssl_lowest_version, "TLS1.0"))
+ S...
2007 Jun 11
2
SSL_CTX_set_info_callback problem in latest source
In the file ./src/login-common/ssl-proxy-openssl.c appears the code:
if (verbose_ssl)
SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback);
It appears the SSL_CTX_set_info_callback symbol only occurs in the
openssl development branch starting with 0x00909000L as this symbol
is missing from openssl 0.9.8b and 0.9.8e (no check of the latest
nightly snapshot of the stable 0.9.8 branch).
It...
2018 Jul 29
4
2.3.2.1 - EC keys suppport?
...acing [ no shared cipher ] error with EC private keys.
> the client connecting to your instance has to support ecdsa
>
>
It does - Thunderbird 60.0b10 (64-bit)
[ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ]
It seems there is a difference between the private key (rsa vs. ecc ->
SSL_CTX?) used for the certificate signing request and the signed
certificate.
The csr created from a private key with [ openssl genpkey -algorithm RSA
] and signed by a CA with [ ecdhe_ecdsa ] works with no error.
But as stated in the initial message it does not work if the private key
for the csr is ge...
2011 Oct 13
1
[PATCH] Use SSL_MODE_RELEASE_BUFFERS if available to keep memory usage low
...ory usage low.
diff -r 962df5d9413a -r c15d6befe200 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Wed Oct 12 17:16:10 2011 +0300
+++ b/src/login-common/ssl-proxy-openssl.c Thu Oct 13 16:19:52 2011 -0300
@@ -925,6 +925,9 @@
STACK_OF(X509_NAME) *xnames = NULL;
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
+#ifdef SSL_MODE_RELEASE_BUFFERS
+ SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
if (*set->ssl_ca != '\0') {
/* set trusted CA certs */
store = SSL_CTX_get_cert_store(ssl_ctx);
2006 Jun 01
1
ssl-proxy: client certificates and crl check
...BAD CERT %s: %s",X509_verify_cert_error_string(ctx->error),buf);
+ }
+ else
+ { i_warning("CERT: %s",buf); } /* logging */
- return 1;
+ return preverify_ok;
+ /* HJHJ */
+
}
static int
@@ -666,10 +684,20 @@
if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) {
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER |
- SSL_VERIFY_CLIENT_ONCE,
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
ssl_verify_client_cert);
}
+ /* HJHJ */
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+ X509_STORE *store;
+ if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL )
+ { X509_STO...
2017 Sep 13
2
[RFC master-2.2 0/1] Support OpenSSL 1.1 API for setting allowed TLS versions
...LSv1.0 and TLSv1.1 *by default*. That means that
unless an application requests otherwise, only TLSv1.2 is supported. In the
world of e-mail this is seemingly an issue, as there are still way too many old
clients out there supporting only TLSv1 or TLSv1.1.
Now, traditionally OpenSSL 0.9.8/1.0 used SSL_CTX_set_options() to allow
*disabling* specific protocols, without offering a way to enable previously
disabled protocols. OpenSSL 1.1 introduced a dedicated API[2] to set allowed
protocol versions, taking a linear version approach: the application may
request a minimum and a maximum allowed version (i...
2018 Jan 10
3
Can't compile Asterisk on Fedora server
...lared here
DEPRECATEDIN_1_1_0(void ERR_remove_thread_state(void *))
^
tcptls.c: In function '__ssl_setup':
tcptls.c:819:31: warning: implicit declaration of function
'SSLv2_client_method'; did you mean 'SSLv3_client_method'?
[-Wimplicit-function-declaration]
cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
^~~~~~~~~~~~~~~~~~~
SSLv3_client_method
tcptls.c:819:31: warning: passing argument 1 of 'SSL_CTX_new' makes pointer
from integer without a cast [-Wint-conversion]
In file included from
/u...
2017 Feb 14
0
openssl 1.1.0d breaks Android7 TLS connects
...icient.
The implementation only checks for SSL_CTRL_SET_ECDH_AUTO.
That was effective for OpenSSL 1.0.2, but in 1.1.0 it is removed.
Thats the code part:
#ifdef SSL_CTRL_SET_ECDH_AUTO
/* OpenSSL >= 1.0.2 automatically handles ECDH temporary key
parameter
selection. */
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
#else
/* For OpenSSL < 1.0.2, ECDH temporary key parameter selection
must be
performed manually. Attempt to select the same curve as that used
in the server's private EC key file. Otherwise fall back to the
NIST P-384 (secp3...
2017 Nov 16
0
[PATCH] [libshout] tls: compile with OpenSSL 1.1.0
...R)
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_all_algorithms();
SSLeay_add_ssl_algorithms();
- meth = TLSv1_client_method();
+ meth = SSLv23_client_method();
if (!meth)
goto error;
+#else
+ meth = TLS_client_method();
+#endif
tls->ssl_ctx = SSL_CTX_new(meth);
if (!tls->ssl_ctx)
--
2.15.0
2012 Mar 08
1
disabling SSLv2 in dovecot 1.2.17
...eNULL : !3DES
: @STRENGTH
However, this doesn't prevent the SSLv2 connection being allowed as our Nessus
scans show and I'm tasked with trying to plug that "hole".
I see Dovecot2 had the following change a year or so ago, in file
src/login-common/ssl-proxy-openssl.c:
- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
I tried making the same change to dovecot1's src tree on our test system and
it seems to have the desired effect; however I am very hesitant about putting
this into our production system wi...
2019 Jun 07
1
Problem with opusfile & ndk
Hi Xiph.org Team.
We are using opusfile library <https://github.com/xiph/opusfile> for
streaming *.opus* audio in our projects.
But now we have a problem with building opusfile library for android with
*ndk-build*.
In particular, with arm64-v8a platform: Google removed <sys/timeb.h> from
android.
And now building opusfile with nkd-build crashes with error "fatal error:
2005 Sep 11
1
DSA support for TLS?
hi all,
i've dovecot TLS working correctly w/ locally generated *RSA* CA cert, domain
privkey & self-signed domain cert. to that end, my dovecot.conf includes:
ssl_key_file =
/var/Security/mail.testdomain.com.privkey.rsa.pem
ssl_cert_file = /var/Security/mail.testdomain.com.cert.rsa.pem
ssl_ca_file =
2013 Sep 10
2
dovecot and PFS
Hi
Is there known advices on how to favor PFS with dovecot?
In Apache, I use the following directives, with cause all modern
browsers to adopt 256 bit PFS ciphers, while keeping backward
compatibility with older browsers and avoiding BEAST attack:
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10
2003 Jun 15
3
0.99.10-test12
http://dovecot.procontrol.fi/test/
I should have released 0.99.10 already I think.. There's just two
annoying problems that I think should be fixed first:
- PAM: If user gives a wrong password, dovecot-auth process sleeps for
two seconds, blocking everyone else who are trying to authenticate at
the time. So using PAM isn't very good idea at the moment.
- OpenSSL problems. Are they
2018 Jul 30
2
2.3.2.1 - EC keys suppport?
...ent connecting to your instance has to support ecdsa
>>>
>>>
>> It does - Thunderbird 60.0b10 (64-bit)
>>
>> [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ]
>>
>> It seems there is a difference between the private key (rsa vs. ecc ->
>> SSL_CTX?) used for the certificate signing request and the signed
>> certificate.
>>
>> The csr created from a private key with [ openssl genpkey -algorithm RSA
>> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error.
>>
>> But as stated in the initial message i...
2007 Jul 25
0
Problem with asterisk-addons - checking for mysql_init in -lmysqlclient... no
...void)':
: undefined reference to `__builtin_delete'
/usr/lib/mysql/libmysqlclient.a(yassl_int.o)(.text+0x348b): In
function `yaSSL::Sessions::~Sessions(void)':
: undefined reference to `__builtin_delete'
/usr/lib/mysql/libmysqlclient.a(yassl_int.o)(.text+0x37db): In
function `yaSSL::SSL_CTX::~SSL_CTX(void)':
: undefined reference to `__builtin_delete'
/usr/lib/mysql/libmysqlclient.a(yassl_int.o)(.text+0x3c60): more
undefined references to `__builtin_delete' follow
/usr/lib/mysql/libmysqlclient.a(libtaocrypt_la-asn.o)(.gnu.linkonce.d.__vt_Q28TaoCrypt4HASH+0xc):
undefined re...