Hi All, I think this is the correct place for this suggestion.
Currently using Diffie-Hellman encryption with couriertls
(courier-imap-ssl) requires one of two configurations. In imapd-ssl,
the configuration option TLS_DHCERTFILE must have either a .pem file
that includes the RSA Key, the certificates, and the DH parameters;
options would look something like:
TLS_CERTFILE=/path/to/myserver.pem
TLS_DHCERTFILE=/path/to/myserver.diffie-hellman.pem
or TLS_DHCERTFILE needs to be exactly the same as TLS_CERTFILE, and the
DH parameters must be added to that file options in this case look like:
TLS_CERTFILE=/path/to/myserver.pem
TLS_DHCERTFILE=/path/to/myserver.pem
If TLS_DHCERTFILE references a file that only includes DH parameters,
imap fails to start with the error message, "couriertls: DH init
failed." This implementation could be improved by allowing for an
explicit file for DH parameters.
Ideally, I think the implementation of couriertls would do the following:
0. If on startup, no TLS_DHCERTFILE is specified, check for DH
parameters in the file specified by TLS_CERTFILE. If DH parameters are
*not* found continue without DH support.
1. If on startup, TLS_DHCERTFILE is specified, use the DH parameters
specified by that file.
* If the DH parameters are invalid or the file does not exist,
startup should fail.
I'm not sure the best way to implement these changes, but it seems like
it should be reasonably easy. I suspect it would require modifying the
following pointers in libcouriertls.c
process_rsacertfile -- modified to include a diffie-hellman check
and
process_dhcertfile -- modified to only check for the full .pem file if
TLS_CERTFILE is not specified, otherwise, just look for DH parameters.
Since I'm not a C programmer, I might be slightly off in my
understanding of this, but I do believe this modified implementation
would reduce unnecessary redundancy for couriertls configuration.
Thanks,
~/ross
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
