search for: ssl_proxy_ctx_use_certificate_chain

Hi Is there known advices on how to favor PFS with dovecot? In Apache, I use the following directives, with cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10

...RSION); + else + i_fatal("TLS min version: '%s' is invalid. Only " + "'TLS1.0' and 'TLS1.1' is supported", + ssl_set->ssl_lowest_version); + } +#endif if (ctx->pri.cert != NULL && *ctx->pri.cert != '\0' && ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->pri.cert) != 1) { i_fatal("Can't load ssl_cert: %s",

...pkey = ssl_proxy_load_key(set->ssl_key, password); + if (pkey != NULL && + (eckey = EVP_PKEY_get1_EC_KEY(pkey)) != NULL && + (ecgrp = EC_KEY_get0_group(eckey)) != NULL) + nid = EC_GROUP_get_curve_name(ecgrp); + EVP_PKEY_free(pkey); +#endif + return nid; +} + +static int ssl_proxy_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert) { /* mostly just copy&pasted from SSL_CTX_use_certificate_chain_file() */ @@ -1209,7 +1282,6 @@ #endif ssl_proxy_ctx_use_key(ctx->ctx, ssl_set); - SSL_CTX_set_info_callback(ctx->ctx, ssl_info_callback); if (ctx->verify_client_cert) ssl_pro...