[Dovecot] Solaris hardware crypto engines

Timo Sirainen tss at iki.fi
Mon Nov 21 23:52:28 EET 2011


On Mon, 2011-11-21 at 10:18 +0100, Martin Preen wrote:
> Hello,
> after serveral tests (and reading a lot of howto's) I'm now fairly convinced
> that the Solaris HW-crypto engine is not automatically used. Even when dovecot
> ist compiled with the OpenSSL version provided by Solaris.
> 
> Currently I have only a T1-CPU available for testing (Sun Fire T2000) and
> after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
> 
>   ENGINE *e;
>   ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11")));

Does "openssl engine" return this "pkcs11" string?

>   ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e);
>   ENGINE_set_default_ciphers(e);
> 
> in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit()
> the crypto device gets used. I'm sure that this is not the whole story since
> this only seems to affect the IMAP login.

It should work for POP3 as well, all of the SSL code is shared.

> One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in
> the various articles). Is there any chance that Dovecot gets updated/patched
> for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.

I guess I could add ssl_crypto_device setting for this. But I'll need to
figure out proper ifdefs to avoid compile failures with older OpenSSL
versions.




More information about the dovecot mailing list