[Dovecot] DSA support for TLS?

OpenMacNews OpenMacNews at speakeasy.net
Mon Sep 19 02:36:02 EEST 2005 

hi timo,

> On Sun, 2005-09-11 at 12:52 -0700, OpenMacNews wrote:
>> 	dovecot: Sep 11 11:58:43 Error: imap-login: Can't load private key file
>> /var/Security/mail.testdomain.com.privkey.dsa.pem: error:0607907F:digital
>> envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key
>
> Well, I'm not sure why so many other programs seem to want to require
> RSA private keys (where I looked at examples how to use OpenSSL), but I
> think this patch fixes it (committing to CVS too):
>
> Index: src/login-common/ssl-proxy-openssl.c
> ===================================================================
> RCS file: /var/lib/cvs/dovecot/src/login-common/ssl-proxy-openssl.c,v
> retrieving revision 1.28
> diff -u -r1.28 ssl-proxy-openssl.c
> --- src/login-common/ssl-proxy-openssl.c	18 Sep 2005 14:43:10 -0000	1.28
> +++ src/login-common/ssl-proxy-openssl.c	18 Sep 2005 15:55:35 -0000
> @@ -487,8 +487,8 @@
>  			certfile, ssl_last_error());
>  	}
>
> -	if (SSL_CTX_use_RSAPrivateKey_file(ssl_ctx, keyfile,
> -					   SSL_FILETYPE_PEM) != 1) {
> +	if (SSL_CTX_use_PrivateKey_file(ssl_ctx, keyfile,
> +					SSL_FILETYPE_PEM) != 1) {
>  		i_fatal("Can't load private key file %s: %s",
>  			keyfile, ssl_last_error());
>  	}

i DL'd the latest CVS, verifying the patch above ...

build went fine.

using rsa is still ok.

now, when i try to connect w/ DSA i get, in dovecot log, a lightly different 
error:

dovecot: Sep 18 16:28:19 Warning: imap-login: SSL_accept() failed: 
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [10.0.0.6]
dovecot: Sep 18 16:28:19 Info: imap-login: Disconnected: rip=10.0.0.6, 
lip=10.0.0.5, TLS

this is with:

    ssl_listen                   = *
    ssl_disable                  = no
    verbose_ssl                  = yes

    ssl_key_file                 =
    /var/Data/Security/mail.mydomain.com.privkey.rsa.pem
    ssl_cert_file                =
    /var/Data/Security/mail.mydomain.com.cert.rsa.pem
    ssl_ca_file                  = /var/Data/Security/mydomain.CA.cert.rsa.pem
    ssl_verify_client_cert       = no
    ssl_parameters_file          = /var/Data/Security/mydomain.dsaparam.pem
    ssl_parameters_regenerate    = 0
    ssl_cipher_list              =
    ALL:!SSLv2:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH


in my dovecot config ...

cheers,

richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20050918/c838ec61/attachment.pgp

More information about the dovecot mailing list