Hi Folks.
So I sat down today to make imapd / cclient compile with the latest
openssl 1.1.1. It turns out the the changes needed were very few.
Here is what I changed, in case it helps someone (the older versions of
openssl are losing support soon, so we all should be upgrading to the
new version channel).
1. There is only 1 critical change. There are a lot of fatal compile
errors around use of "cert->name". Openssl no longer exposes the
contents of the X509 structure. The solution seems to be to replace
this with something like:
cert->name
replace with
X509_NAME_oneline(X509_get_subject_name(cert),NULL,0)
which extracts the name from the cert object and returns it as a newly
allocated char*. This could be a very small memory leak; but for most
purposes each imapd and ipop3d only exist for the single connection --
so its probably not a concern, just a few bytes. You could fix by
adding a few more lines to create a buffer and have
X509_NAME_oneline save to your buffer, etc.
2. There are a couple deprecated functions that should be updated:
TLSv1_client_method
-> TLS_client_method
RSA_generate_key
-> RSA_generate_key_ex
That is it -- things seem to be compiling and tests (so far) show
things are working properly. There are still compile warnings here and
there (as there always have been with imapd) but they seem OK. I will
still be testing for some time before I push out. Also, linking to
openssl v1.1.1 also seems to have cleared up some issues with C-Client
using STARTTLS with TLS 1.2-only servers (we already have support for
DHE and ECDHE built in).
I'll let you know if anything else needs to be done after further
testing. If anyone notices something I have neglected, please let me
know.
Probably the next thing we'll need to do down the road is enable TLS
v1.3 support....
Thanks!
-Erik
Erik Kangas, PhD
CEO
+1 617.596.9558
[email protected]
[1]www.LuxSci.com
[2]Erik on LinkedIn
This email communication is covered under LuxSci's [3]privacy policy.
On February 17, 2019 07:13:28 pm EDT, "Eduardo Chappa"
<[email protected]> wrote:
On Mon, 18 Feb 2019, Erik Kangas, Ph.D. wrote:
This is good and we can probably use this for the imapd server; however,
when I compile Panda against openssl 1.1.1.x, I find that the first set
of errors I receive involve the c-client library (which we need for
linking with PHP, for example). The c-client section (i.e. the c-client
directory immediately below "imap" vs the one below "src") seems to be
missing from the alpine source -- as its probably not needed for alpine.
Dear Erik,
What you would have to do is to build Alpine. As as result, Alpine will
build the c-client library first, and then Alpine. You can stop the build
as soon as you have built the c-client library. That will give you the
c-client directory that you are looking for under imap/.
I already took care of all the errors you posted a long time ago, and I
am currently working on adding support for letting applications choose the
minimum and maximum versions of the SSL/TLS protocol to use.
Take a look at the repo for alpine at [4]http://repo.or.cz/alpine.git, for
the current bits. I am about to commit a few changes in regards to SSL
configuration.
Thank you.
--
Eduardo
References
Visible links
1.
https://luxsci-email.com/X_cxUJK1rGjOtl9jzm5Aq_-Q7KyUO1eIsy_LXWG3usgS_-699/email-link/500/699/send-me?to=https://luxsci.com
2.
https://luxsci-email.com/X_cxUJK1rGjOtl9jzm5Aq_-Q7KyUO1eIsy_LXWG3usgS_-699/email-link/500/699/send-me?to=https://www.linkedin.com/in/erikkangas/
3.
https://luxsci-email.com/X_cxUJK1rGjOtl9jzm5Aq_-Q7KyUO1eIsy_LXWG3usgS_-699/email-link/500/699/send-me?to=https://luxsci.com/extranet/privacy.html
4.
https://luxsci-email.com/X_cxUJK1rGjOtl9jzm5Aq_-Q7KyUO1eIsy_LXWG3usgS_-699/email-link/500/699/send-me?to=http://repo.or.cz/alpine.git
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
