search for: ssl_ctx

...-0500 +++ dovecot-2.2.9/src/login-common/ssl-proxy-openssl.c 2015-02-11 00:32:19.262198000 -0500 @@ -951,54 +951,25 @@ return strstr(cert, "PRIVATE KEY---") != NULL; } -static void load_ca(X509_STORE *store, const char *ca, - STACK_OF(X509_NAME) **xnames_r) +static void load_ca(SSL_CTX *ssl_ctx, const char *ca) { - /* mostly just copy&pasted from X509_load_cert_crl_file() */ - STACK_OF(X509_INFO) *inf; - X509_INFO *itmp; - X509_NAME *xname; - BIO *bio; - int i; - - bio = BIO_new_mem_buf(t_strdup_noconst(ca), strlen(ca)); - if (bio == NULL) - i_fatal("BIO_new_mem_buf()...

...Jun 28 19:48:37 2013 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Sat Jul 06 14:46:16 2013 +1000 @@ -119,6 +119,10 @@ const struct master_service_ssl_settings *ssl_set); static void ssl_server_context_deinit(struct ssl_server_context **_ctx); +static void ssl_proxy_ctx_set_crypto_params(SSL_CTX *ssl_ctx, + const struct master_service_ssl_settings *set); +static int ssl_proxy_ctx_get_pkey_ec_curve_name(const struct master_service_ssl_settings *set); + static unsigned int ssl_server_context_hash(const struct ssl_server_context *ctx) { unsigned...

Hi, how do I protect dovecot 1.2.17 against poodle? Br /Marc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://dovecot.org/pipermail/dovecot/attachments/20141019/b4152487/attachment-0001.sig>

...an be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 "The internet" has some workarounds for this problem. For example, in Apache webserver, you need to set SSLHonorCipherOrder On in apache config. This results in the following C-Code being executed: SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); This setting tells OpenSSL not to honor the Ciper Order sent from the client, but prefer it's own configured set of CipherSuites. According to Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured with this setti...

...char *ssl_options; + const char *ssl_lowest_version; bool ssl_verify_client_cert; bool ssl_require_crl; --- a/src/login-common/ssl-proxy-openssl.c +++ b/src/login-common/ssl-proxy-openssl.c @@ -1302,7 +1302,20 @@ ssl_server_context_init(const struct log if (ctx->prefer_server_ciphers) SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols)); - +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + if (ssl_set->ssl_lowest_version) { + if (!strcmp(ssl_set->ssl_lowest_version, "TLS1.0")) + S...

In the file ./src/login-common/ssl-proxy-openssl.c appears the code: if (verbose_ssl) SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback); It appears the SSL_CTX_set_info_callback symbol only occurs in the openssl development branch starting with 0x00909000L as this symbol is missing from openssl 0.9.8b and 0.9.8e (no check of the latest nightly snapshot of the stable 0.9.8 branch). It...

...acing [ no shared cipher ] error with EC private keys. > the client connecting to your instance has to support ecdsa > > It does - Thunderbird 60.0b10 (64-bit) [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ] It seems there is a difference between the private key (rsa vs. ecc -> SSL_CTX?) used for the certificate signing request and the signed certificate. The csr created from a private key with [ openssl genpkey -algorithm RSA ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. But as stated in the initial message it does not work if the private key for the csr is ge...

...ory usage low. diff -r 962df5d9413a -r c15d6befe200 src/login-common/ssl-proxy-openssl.c --- a/src/login-common/ssl-proxy-openssl.c Wed Oct 12 17:16:10 2011 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Thu Oct 13 16:19:52 2011 -0300 @@ -925,6 +925,9 @@ STACK_OF(X509_NAME) *xnames = NULL; SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif if (*set->ssl_ca != '\0') { /* set trusted CA certs */ store = SSL_CTX_get_cert_store(ssl_ctx);

...BAD CERT %s: %s",X509_verify_cert_error_string(ctx->error),buf); + } + else + { i_warning("CERT: %s",buf); } /* logging */ - return 1; + return preverify_ok; + /* HJHJ */ + } static int @@ -666,10 +684,20 @@ if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) { SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | - SSL_VERIFY_CLIENT_ONCE, + SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_client_cert); } + /* HJHJ */ +#if OPENSSL_VERSION_NUMBER >= 0x00907000L + X509_STORE *store; + if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL ) + { X509_STO...

...LSv1.0 and TLSv1.1 *by default*. That means that unless an application requests otherwise, only TLSv1.2 is supported. In the world of e-mail this is seemingly an issue, as there are still way too many old clients out there supporting only TLSv1 or TLSv1.1. Now, traditionally OpenSSL 0.9.8/1.0 used SSL_CTX_set_options() to allow *disabling* specific protocols, without offering a way to enable previously disabled protocols. OpenSSL 1.1 introduced a dedicated API[2] to set allowed protocol versions, taking a linear version approach: the application may request a minimum and a maximum allowed version (i...

...lared here DEPRECATEDIN_1_1_0(void ERR_remove_thread_state(void *)) ^ tcptls.c: In function '__ssl_setup': tcptls.c:819:31: warning: implicit declaration of function 'SSLv2_client_method'; did you mean 'SSLv3_client_method'? [-Wimplicit-function-declaration] cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method()); ^~~~~~~~~~~~~~~~~~~ SSLv3_client_method tcptls.c:819:31: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [-Wint-conversion] In file included from /u...

...icient. The implementation only checks for SSL_CTRL_SET_ECDH_AUTO. That was effective for OpenSSL 1.0.2, but in 1.1.0 it is removed. Thats the code part: #ifdef SSL_CTRL_SET_ECDH_AUTO /* OpenSSL >= 1.0.2 automatically handles ECDH temporary key parameter selection. */ SSL_CTX_set_ecdh_auto(ssl_ctx, 1); #else /* For OpenSSL < 1.0.2, ECDH temporary key parameter selection must be performed manually. Attempt to select the same curve as that used in the server's private EC key file. Otherwise fall back to the NIST P-384 (secp3...

...R) SSL_library_init(); SSL_load_error_strings(); SSLeay_add_all_algorithms(); SSLeay_add_ssl_algorithms(); - meth = TLSv1_client_method(); + meth = SSLv23_client_method(); if (!meth) goto error; +#else + meth = TLS_client_method(); +#endif tls->ssl_ctx = SSL_CTX_new(meth); if (!tls->ssl_ctx) -- 2.15.0

...eNULL : !3DES : @STRENGTH However, this doesn't prevent the SSLv2 connection being allowed as our Nessus scans show and I'm tasked with trying to plug that "hole". I see Dovecot2 had the following change a year or so ago, in file src/login-common/ssl-proxy-openssl.c: - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); I tried making the same change to dovecot1's src tree on our test system and it seems to have the desired effect; however I am very hesitant about putting this into our production system wi...

Hi Xiph.org Team. We are using opusfile library <https://github.com/xiph/opusfile> for streaming *.opus* audio in our projects. But now we have a problem with building opusfile library for android with *ndk-build*. In particular, with arm64-v8a platform: Google removed <sys/timeb.h> from android. And now building opusfile with nkd-build crashes with error "fatal error:

hi all, i've dovecot TLS working correctly w/ locally generated *RSA* CA cert, domain privkey & self-signed domain cert. to that end, my dovecot.conf includes: ssl_key_file = /var/Security/mail.testdomain.com.privkey.rsa.pem ssl_cert_file = /var/Security/mail.testdomain.com.cert.rsa.pem ssl_ca_file =

Hi Is there known advices on how to favor PFS with dovecot? In Apache, I use the following directives, with cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10

http://dovecot.procontrol.fi/test/ I should have released 0.99.10 already I think.. There's just two annoying problems that I think should be fixed first: - PAM: If user gives a wrong password, dovecot-auth process sleeps for two seconds, blocking everyone else who are trying to authenticate at the time. So using PAM isn't very good idea at the moment. - OpenSSL problems. Are they

...ent connecting to your instance has to support ecdsa >>> >>> >> It does - Thunderbird 60.0b10 (64-bit) >> >> [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ] >> >> It seems there is a difference between the private key (rsa vs. ecc -> >> SSL_CTX?) used for the certificate signing request and the signed >> certificate. >> >> The csr created from a private key with [ openssl genpkey -algorithm RSA >> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. >> >> But as stated in the initial message i...

...void)': : undefined reference to `__builtin_delete' /usr/lib/mysql/libmysqlclient.a(yassl_int.o)(.text+0x348b): In function `yaSSL::Sessions::~Sessions(void)': : undefined reference to `__builtin_delete' /usr/lib/mysql/libmysqlclient.a(yassl_int.o)(.text+0x37db): In function `yaSSL::SSL_CTX::~SSL_CTX(void)': : undefined reference to `__builtin_delete' /usr/lib/mysql/libmysqlclient.a(yassl_int.o)(.text+0x3c60): more undefined references to `__builtin_delete' follow /usr/lib/mysql/libmysqlclient.a(libtaocrypt_la-asn.o)(.gnu.linkonce.d.__vt_Q28TaoCrypt4HASH+0xc): undefined re...