A NOTE has been added to this issue. ====================================================================== http://www.dbmail.org/mantis/view.php?id=1066 ====================================================================== Reported By: dfroe Assigned To: ====================================================================== Project: DBMail Issue ID: 1066 Category: General Reproducibility: N/A Severity: feature Priority: normal Status: new target: ====================================================================== Date Submitted: 24-Jan-15 17:36 CET Last Modified: 04-Mar-15 21:51 CET ====================================================================== Summary: Patch to add DHE/PFS TLS support Description: To enhance the security of dbmail's TLS layer using OpenSSL I added some code to include DHE/PFS support as well as some minor tweaks (disabling SSLv2/3 and prefering the server cipher suite). See attachment for a proof of concept. For me this works fine with dbmail 3.2.1 and openssl 1.0.1l. Maybe this can be added into git for general use in future releases. ======================================================================
---------------------------------------------------------------------- (0003689) dfroe (reporter) - 04-Mar-15 21:51 http://www.dbmail.org/mantis/view.php?id=1066#c3689 ---------------------------------------------------------------------- Using the following code within tls_init method will also enable simple elliptic curve support (ECDHE). /* Apply OpenSSL options and init DH/ECDH */ long options = 0; options |= SSL_OP_CIPHER_SERVER_PREFERENCE; /* Enforce prefered cipher */ options |= SSL_OP_NO_SSLv2; /* Disable SSLv2 (broken) */ options |= SSL_OP_NO_SSLv3; /* Disable SSLv3 (poodle) */ options |= SSL_OP_SINGLE_DH_USE; /* Ensure real PFS for DH */ options |= SSL_OP_SINGLE_ECDH_USE; /* Ensure real PFS for ECDH */ SSL_CTX_set_options(ctx, options); SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ecdh) { SSL_CTX_set_tmp_ecdh(ctx, ecdh); EC_KEY_free(ecdh); } Issue History Date Modified Username Field Change ====================================================================== 24-Jan-15 17:36 dfroe New Issue 24-Jan-15 17:36 dfroe File Added: dbmail-tls-dh.patch 04-Mar-15 21:51 dfroe Note Added: 0003689 ====================================================================== _______________________________________________ Dbmail-dev mailing list Dbmail-dev@dbmail.org http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
