Mark, Thanks a lot for the response and your time.
> Why not just install any added CAs in /usr/local/ssl/certs? Isn't it > better to have the CAs set up properly for all applications? After reading the code more, I discovered that most (if not all) of this is already available and that I should probably learn more about manipulating the NET_NOVALIDATECERT flag and how to make c-client/imapd do what I want it to (only allow connections that use certificates issued by a private CA). My query was largely based on some documentation available that doesn't mention verification/validation. > Also, are you intending to add a SASL authenticator for EXTERNAL? If not, > then what does peer verification buy you, given that there is already > authentication in IMAP (in effect, you'll be authenticating twice)? > Aren't you worried about not being able to access your mail from > elsewhere? > Unless there is evidence of penetrations, it may well be more costly to > get into that business than just leaving well (bad?) enough alone. > It's reported that crypto cracking isn't even a blip on the radar screen > in terms of systems being broken into. The big name cracks are in > exploiting known bugs and human error. I'm just really really paranoid There is only a limited set of external sites from where I would like to connect to my server and I'm just learning how to explicitly disallow all connections except those from specific addresses by using linux's iptables service. By using peer verification, it gives me another level of restriction, in case someone finds a way to use ip spoofing to connect. This is probably overkill for my scenario and I don't know too much about the statistics and probability for intrusions. In any case, it looks like I can use existing functionality that is already built into c-client and be as paranoid as I want to. > > Also, I'd like to be able to control which SSL versions are used, > > particularly enabling SSLv3 and TLSv1, while disabling SSLv2 (passing > > SSL_OP_NO_SSLv2 to SSL_CTX_set_options). > > Not a good idea, and likely to cause interoperability problems. On the > SSL port (port 993 in IMAP), you need to use the SSLv23 method and not > TLSv1. On TLS (STARTTLS command on the regular ports), you need to use > TLSv1 and not the SSL methods. I think that SSLv23 also enables TLSv1, then setting the SSL_OP_NO_SSLv2 flag disables SSLv2. In the code, SSL_OP_ALL is set, which probably sets this option, so I'm not really worried about this anymore either. > I hope I've talk you out of doing this. Yep, you and the code have talked me out of it. Please accept my apologies for not reading the code more before sending a query, and thanks again! :) -Abe
