I've actually got a working version of the DH Params code working (fought thru
it last night). My current issue is how to excerpt it to make a patch that can
be applied to the published code base.
As I've been hacking at the UW/Panda imap code base for more than 15 years, I've
got a lot of local customizations added in.
For example:
1) support for command line arguments to imapd/pop3d to allow specifying things
like alternative config files, debug levels.
2) support for the IMAP "QUOTA" extension
3) a 'BlueBox' mode (something in between the default "store everything in the
user's home directory" and Mark's "BlackBox" mode).
4) session term limits to deal with the "BlackBerry locked mailbox" issue.
5) added debugging levels support
Dave
On Thu, 6 Apr 2017, Erik Kangas, Ph.D. wrote:
This sounds great!
Once this and the DH Params patches are in place, we will install on a few
servers and see how they go and let everyone know before we roll out everywhere.
If anyone else has any particular useful patches they have made, maybe this is
a good time to speak up and perhaps add them to the code base.
Good job, guys.
-Erik
On April 6, 2017 02:58:37 pm EDT, "Neal Horman" <[email protected]> wrote:
I have applied the differences to Dan's patch and pushed them to
github.com/nkhorman/panda-imap/tree/ssloptions.
I've only compile tested this on FreeBSD 10.3
I'll also apply a DH patch, if someone wants provide it.
Also, I'm open to other patches that would be generally useful for everyone.
If everyone agrees, I'll merge the ssloptions branch to master.
Regards
Neal
On 4/5/17 5:23 PM, Erik Kangas, Ph.D. wrote:
Thanks.
We already pre-generate the DH parameters for sendmail and have them
sitting around in a dhparms.pem file unique to the server. I wonder if anyone
has created a patch that allows UW IMAP to read such a file and supply
the parameters?
-Erik Kangas
On April 5, 2017 06:07:15 pm EDT, "Dan Lukes" <[email protected]> wrote:
Erik Kangas, Ph.D. wrote:
> Has anyone found a way to get the Diffie Hellman TLS v1.2 ciphers (e.g..
> DHE-RSA-AES256-GCM-SHA384) to work with UW IMAP / Panda IMAP?
In order to perform a DH key exchange the server must use a DH group (DH
parameters) and generate a DH key.
UW IMAP neither generate DH parameters on the fly nor supply the
parameters - thus no DHE can be negotiated.
You may patch the code and use SSL_CTX_set_options(3) to set
SSL_OP_SINGLE_DH_USE option, but generating DH parameters on the fly is
extremely time consuming.
Dan
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
_______________________________________________________________________________________________________________________________________________________________
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
