Re: [Imap-uw] Patch for TLS 1.2 DHE* cipher support in uwimap/panda?

Wed, 05 Apr 2017 17:00:27 -0700

A couple of years ago I started working on exactly this feature (when the SSL v3 storm hit).
I extended the env_unix.c module to add config file parsing options for a 'SSLCipherSuite' parameter that works the same as the Apache version and started work on a 'DHParameters' parameter that would work the same as the sendmail version. 


I got the SSLCipherSuite code working in ssl_unix.c but never completed the 
DHParameters implementation.


Dave

On Wed, 5 Apr 2017, Neal Horman wrote:


I have already applied the "ssl cipher and protocol options patch" from 
http://www.freebsd.cz/~dan/patch-DAN-SETSSLCIPHER to my panda fork at
github.com/nkhorman/panda-imap/tree/ssloptions, and submitted a pull-request to 
jonabbey/panda-imap a year ago, that is still open.

You may find it useful.

Regards
Neal Horman

On 4/5/17 5:23 PM, Erik Kangas, Ph.D. wrote:
> Thanks.
>
> We already pre-generate the DH parameters for sendmail and have them sitting 
around in a dhparms.pem file unique to the server.  I wonder if anyone has
> created a patch that allows UW IMAP to read such a file and supply the 
parameters?
>
> -Erik Kangas
> On April 5, 2017 06:07:15 pm EDT, "Dan Lukes" <[email protected]> wrote:
>
>
> Erik Kangas, Ph.D. wrote:
> > Has anyone found a way to get the Diffie Hellman TLS v1.2 ciphers (e.g..
> > DHE-RSA-AES256-GCM-SHA384) to work with UW IMAP / Panda IMAP?
>
> In order to perform a DH key exchange the server must use a DH group (DH
> parameters) and generate a DH key.
>
> UW IMAP neither generate DH parameters on the fly nor supply the
> parameters - thus no DHE can be negotiated.
>
> You may patch the code and use SSL_CTX_set_options(3) to set
> SSL_OP_SINGLE_DH_USE option, but generating DH parameters on the fly is
> extremely time consuming.
>
>
> Dan
>
>



--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw






















					Reply via email to