Re: STARTTLS Problem

Thu, 22 Jul 2004 11:11:17 -0700 

Citando "M�rio A. Pinho" <[EMAIL PROTECTED]>:

Hi Folks,


I am using qmail-ldap-1.03-20040701-patch, compiled as follow:
... 
Everything works fine, except for STARTTLS, thats is unrecognized by
mozilla, kmail, or even openssl s_client.
...
Any idea? 

Have you applied patch mentioned in
http://www.mail-archive.com/[EMAIL PROTECTED]/msg01956.html

--
Tomas


Yes, it was applied. If you the log that I modified, errno reports "Bad File
Descriptor".

Regards,

M�rio

---------------------------------------------------------
Esta mensagem foi enviada utilizando Webmail da LymckWeb.


I found and fix the problem. Patch must be applied to qmail-smtpd.c, smtp_tls
function:

  if(!(ssl=SSL_new(ctx)))
  {
    logline(3,"aborting TLS connection, unable to set up SSL session");
    die_read();
  }
-  SSL_set_fd(ssl,0);
+  SSL_set_rfd(ssl,substdio_fileno(&ssin));
+  SSL_set_wfd(ssl,substdio_fileno(&ssout));
  if(SSL_accept(ssl)<=0)
  {
    logline(3,"aborting TLS connection, unable to finish SSL accept");

It fix the underlay error "Bad file descriptor". Is it possible to be included
in the next qmail-ldap patch version?

Other problem I found (and solve) is regarding "make cert" operation in
Debian.
openssl does not generate a correct certificate. For Debian users having
problems, follow a mini howto (thanks to [EMAIL PROTECTED]):

# cp /usr/lib/ssl/misc/CA.sh /usr/local/sbin/CA.sh
# vi /usr/local/sbin/CA.sh (find and change the following lines to)
DAYS="-days 7300" # 20 years
CATOP=/etc/ssl
# cd /etc/ssl
# vi openssl.cnf (find and change the following line to)
dir = ./
# /usr/local/sbin/CA.sh -newca
# ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0
# openssl req -new -nodes -keyout private/hostnamekey.pem -out \
    certs/hostnamereq.pem
# openssl ca -out certs/hostnamecert.pem -in \
    certs/hostnamereq.pem
# openssl x509 -in certs/hostnamecert.pem -out certs/hostnamecert.crt
# cat private/hostnamekey.pem certs/hostnamecert.crt >mail.pem
# ln -s certs/mail.pem /var/qmail/control/cert.pem

It was tested, and is working, in KMail and Mozilla Mail.

The mail.pem file can be user in courier-imap and courier-pop; works fine.

Also, use can use (I test and appears be ok) hostnamecert.pem, hostnamekey.pem
and cacert.pem in OpenLDAP.

Regards,

M�rio Pinho


---------------------------------------------------------
Esta mensagem foi enviada utilizando Webmail da LymckWeb.

Reply via email to