similar to: [PATCH] login-common: Add support for ECDH/ECDHE cipher suites

Hi all, As I reported earlier (with a typo in the work [BUG]) client certification validation *does not* work even if you do everything exactly according to all documentation and attempts at helpful advice. I have seen this issue with both startssl.com and self-signed certificates, and based on what I've seen from searching the web, this is a problem that has gotten little attention because

Hi, the actual OpenSSL version detection in dovecot is insufficient. The implementation only checks for SSL_CTRL_SET_ECDH_AUTO. That was effective for OpenSSL 1.0.2, but in 1.1.0 it is removed. Thats the code part: #ifdef SSL_CTRL_SET_ECDH_AUTO /* OpenSSL >= 1.0.2 automatically handles ECDH temporary key parameter selection. */ SSL_CTX_set_ecdh_auto(ssl_ctx, 1);

The openssl library in Debian unstable (targeting Buster) supports TLS1.2 by default. The library itself supports also TLS1.1 and TLS1.0. If the admin decides to also support TLS1.[01] users he can then enable the lower protocol version in case the users can't update their system. Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc> --- src/config/all-settings.c

Hi, Compile fails in these two files src/lib-ssl-iostream/iostream-openssl-context.c src/login-common/ssl-proxy-openssl.c due to missing SSL_OP_SINGLE_ECDH_USE In these there is only #if !defined(OPENSSL_NO_ECDH) when all the other places it always compares also SSL version #if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10002000L Tomppa

Hi! I'm new to this list and i could not find a way to search through the already posted articles, so please forgive me if this subject has been discussed before. Our security scanner stumbled over the IMAPs server i've set up recently using dovecot on a RedHat Enterprise 64bit Server. The security scanner found an error regarding a new SSL security leak named "BEAST". The

# HG changeset patch # User Cristian Rodr?guez <crrodriguez at opensuse.org> # Date 1318533592 10800 # Node ID c15d6befe20082009cb40926afa208ab4b684818 # Parent 962df5d9413a4a0fcc68aacc1df0dca7a44a0240 Use SSL_MODE_RELEASE_BUFFERS if available to keep memory usage low. diff -r 962df5d9413a -r c15d6befe200 src/login-common/ssl-proxy-openssl.c --- a/src/login-common/ssl-proxy-openssl.c Wed

In the file ./src/login-common/ssl-proxy-openssl.c appears the code: if (verbose_ssl) SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback); It appears the SSL_CTX_set_info_callback symbol only occurs in the openssl development branch starting with 0x00909000L as this symbol is missing from openssl 0.9.8b and 0.9.8e (no check of the latest nightly snapshot of the stable 0.9.8 branch).

All; I have a Fedora 26 server that I am trying to compile asterisk-certified-13.13-cert6 on. However, I'm getting the following errors. I'm also having a tough time trying to compile Dahdi. I'm not sure what I'm missing, but if anyone else is running Fedora, I'd really appreciate any help at all. Thanks Much; John V. make[1]: Leaving directory

Skipped content of type multipart/alternative-------------- next part -------------- --- ssl-proxy-openssl.c.orig 2006-04-04 10:32:58.000000000 +0200 +++ ssl-proxy-openssl.c 2006-06-01 09:24:57.000000000 +0200 @@ -498,7 +498,7 @@ const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy) { X509 *x509; - char buf[1024]; + char buf[256]; const char *name; if

I've set up a list of ciphers that excludes SSLv2 ciphers (and other weak ones) in the hope of preventing SSLv2 connections: ssl_cipher_list = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : @STRENGTH However, this doesn't prevent the SSLv2 connection being allowed as our Nessus scans show and I'm tasked with trying to plug that "hole". I see Dovecot2 had

The init functions are not longer required in OpenSSL 1.1 so I dropped them. TLSv1_client_method() should not be used because it enables only the TLSv1.0 protocol. Better is to use SSLv23_client_method() which enable all the protocols including TLSv1.2. With this functions SSLv2 and SSLv3 is theoretically possible but as of today those protocols are usually build-time disabled. To avoid all this

This is driven by the fact that OpenSSL 1.1 does not know about SSLv2 at all and dovecot's defaults simply make OpenSSL error out with "Unknown protocol 'SSLv2'"[1]. So we change the defaults to refer to SSLv2 iff OpenSSL seems to know something about it. While at it, it's also a good idea to disable SSLv3 by default as well. [1] https://bugs.debian.org/844347

Hi, I came up with the following patch while trying to figure out a good solution for the situation described in Debian bug #871987[1]. In short, OpenSSL in Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that unless an application requests otherwise, only TLSv1.2 is supported. In the world of e-mail this is seemingly an issue, as there are still way too many old clients

Greetings! I am attempting to install Dovecot 2.2.5 on Solaris 10 Sparc hardware with openssl version 0.9.7d 17 Mar 2004. I have created a dovecot user and a dove null user, assigned them their own login directories specifying the ksh shell and assigned them to their own groups. I have run the configure command successfully and am having trouble with the make. At first, I received the problem

>> facing [ no shared cipher ] error with EC private keys. > the client connecting to your instance has to support ecdsa > > It does - Thunderbird 60.0b10 (64-bit) [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ] It seems there is a difference between the private key (rsa vs. ecc -> SSL_CTX?) used for the certificate signing request and the signed certificate. The csr

I'm trying to build the MySQL components in asterisk-addons but no luck so far. I hope that you can help. I have MySQL installed. rpm -qa indicates: MySQL-server-5.0.22-0 MySQL-devel-5.0.22-0 MySQL-client-5.0.22-0 rpm -ql MySQL-devel | grep client indicates: /usr/lib/mysql/libmysqlclient.a /usr/lib/mysql/libmysqlclient.la /usr/lib/mysql/libmysqlclient_r.a /usr/lib/mysql/libmysqlclient_r.la

I've installed grep PRETTY /etc/os-release PRETTY_NAME="Fedora 32 (Server Edition)" dovecot --version 2.3.10.1 (a3d0e1171) openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020 iiuc, Dovecot has apparently had support for setting TLS 1.3 ciphersuites since v2.3.9, per this commit lib-ssl-iostream: Support TLSv1.3 ciphersuites

This fixes a build failure from undefined references to ASN1_STRING_data in libopusurl.so. ASN1_STRING_data is deprecated in openssl-1.1.0. The new ASN1_STRING_get0_data is identical, except the returned string may not be modified, which we don't do anyway. Also include missing asn1.h header to silence compiler warnings. X-Gentoo-Bug: 592456 X-Gentoo-Bug-URL:

On 29.07.2018 23:39, ????? wrote: >>> facing [ no shared cipher ] error with EC private keys. >> the client connecting to your instance has to support ecdsa >> >> > It does - Thunderbird 60.0b10 (64-bit) > > [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ] > > It seems there is a difference between the private key (rsa vs. ecc -> > SSL_CTX?)

> On 29 July 2018 at 23:39 ????? <vtol at gmx.net> wrote: > > > > >> facing [ no shared cipher ] error with EC private keys. > > the client connecting to your instance has to support ecdsa > > > > > > It does - Thunderbird 60.0b10 (64-bit) > > [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ] > > It seems there is a