similar to: SNI-23: SSH - Vulnerability in ssh-agent

[mod: Executive summary: SNI found recent linux-distributions not-vulnerable -- REW] -----BEGIN PGP SIGNED MESSAGE----- ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######.

-----BEGIN PGP SIGNED MESSAGE----- ##### ## ## ###### ## ### ## ## ##### ## # ## ## ## ## ### ## ##### . ## ## . ###### . Secure Networks Inc. Security Advisory

-----BEGIN PGP SIGNED MESSAGE----- ##### ## ## ###### ## ### ## ## ##### ## # ## ## ## ## ### ## ##### . ## ## . ###### . Secure Networks Inc. Security Advisory

I don''t know if this has made it to you yet, so here it is... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Kirk Bauer Georgia Tech gt5918a@prism.gatech.edu or Finger for PGP Key --> kirk@kaybee.gt.ed.net http://www.kaybee.gt.ed.net/~kirk/html/index.html Resnet RTA (Residence Technical Advisor) GTRI Co-Op ----------

###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory February 24, 1997

###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory March 2, 1997

[Mod: I am approving this message even though it is just a rehash of known vulnerabilities of DNS. Please in future lets avoid rehashing what was alreadt discussed in probably every single mailing list that deals with UNIX security several years ago? -- alex ] ###### ## ## ###### ## ### ## ## ######

Hi all, I have been using tinc successfully for a while now. However, I need to do something different from my normal setup, and i am getting the feeling I am doing something obvious wrong. What I want to do is hookup 5 distant linux routers into one bigger network, Since I need to transmit both unicast and multicast traffic, the VPN network has to be in "Mode = switch" [Assumption

////////////////////////////////////////////////////////////////////////// I have got a couple of messages stating that I am wrong and that the resolver vulnerability sent to list by Oliver Friedrichs (oliver@secnet.com) is a new one. Our discussion with Oliver outlined that even though it is possible that this vulnerability was discussed during BOFs at conferences such as LISA, SANS and NETSEC,

FYI? dovecot 2.2.10 from RedHat 7 has an issue with clients, which won't send SNI.?As you are using version 2.2.27 you might encounter the same behaviour. If the client won't send SNI, my server randomly answers with any cert instead of?the default cert,? --Perhaps dovecot just utilises the last used cert? One speciality?of my certs is, that both share the same Common Name (CN) but differ

Is there a way to log SNI hostname used in TLS session? Info is there in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to ssl_io->host. Unfortunately I don't see it expanded to any variables ( http://wiki.dovecot.org/Variables ). Please consider this to be a feature request. The goal is to be able to see which hostname client used like: May 30 08:21:19 xxx dovecot:

On Thursday 20 of October 2016, Aki Tuomi wrote: > On 20.10.2016 15:41, Arkadiusz Mi?kiewicz wrote: > > On Thursday 20 of October 2016, Aki Tuomi wrote: > >> On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: > >>> On Monday 17 of October 2016, KT Walrus wrote: > >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> >

Hi I have some problem with SNI and dovecot 2.2.36.4 Server debian 9.x ad dovecot-2.2.36.4 default server ssl cert is a wildcard like *.domain.com (digicert) ssl_ca = /var/control/cert.pem ssl_cert = </var/control/cert.pem I added for test another domain (in dns to) for another ssl (letsencrypt) from https://wiki.dovecot.org/SSL/DovecotConfiguration like: local_name

On Monday 17 of October 2016, KT Walrus wrote: > > On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > > > On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: > >> Is there a way to log SNI hostname used in TLS session? Info is there in > >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to > >>

On Thursday 20 of October 2016, Aki Tuomi wrote: > On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: > > On Monday 17 of October 2016, KT Walrus wrote: > >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> > >>> wrote: > >>> > >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: > >>>> Is there

On Friday 11 of November 2016, Felipe Gasper wrote: > Hello, > > We?re rolling out large SNI deployments for our mail servers. Each domain > gets an entry like this in the config: > > local_name mail.foo.com { > ssl_cert = </ssl/domain_tls/*.foo.com/combined > ssl_key = </ssl/domain_tls/*.foo.com/combined > } Lack of glob/regexp support here is also a

>>> >>> Great! Seems to be working fine for my usage and makes my configs 50% >>> smaller (which is gigantic improvement). Will do more testing though. >>> >>> Thanks! >>> >>> A little bit offtopic, but what is the point of using imap/pop SNI? All clients want to connect to their own domain or what? -- Kaspars

Hello, How feasible would it be to have a ?pluggable? Dovecot setup that would permit arbitrary logic for fetching TLS/SNI certificates and key, rather than having to hard-code each domain?s resources in a configuration file? A couple scenarios that I envision such a framework being able to accommodate: 1) An internal TLS service that accepts queries via a UNIX socket by domain name and

> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >> Is there a way to log SNI hostname used in TLS session? Info is there in >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >> ssl_io->host. >> >> Unfortunately I don't see it expanded to any

Good morning, I was wondering what you think about SNI (server name indication) support to OpenSSH? Background: SSH is one of the rare protocols in the data center that cannot be easily load balanced, proxied or made highly available. If the ssh client would indicate to which host it wants to connect to, a proxy or load balancer could easily be implemented. While this is an obvious feature for