[Dovecot] Solaris hardware crypto engines

Martin Preen preen at informatik.uni-freiburg.de
Tue Nov 22 00:49:28 EET 2011


Timo Sirainen wrote:
> On Mon, 2011-11-21 at 10:18 +0100, Martin Preen wrote:
>> Hello,
>> after serveral tests (and reading a lot of howto's) I'm now fairly convinced
>> that the Solaris HW-crypto engine is not automatically used. Even when dovecot
>> ist compiled with the OpenSSL version provided by Solaris.
>>
>> Currently I have only a T1-CPU available for testing (Sun Fire T2000) and
>> after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
>>
>>   ENGINE *e;
>>   ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11")));
> 
> Does "openssl engine" return this "pkcs11" string?

This requires the Solaris OpenSSL version
(or another version using the pkcs11 patch).

# /usr/sfw/bin/openssl engine
(pkcs11) PKCS #11 engine support

>>   ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e);
>>   ENGINE_set_default_ciphers(e);
>>
>> in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit()
>> the crypto device gets used. I'm sure that this is not the whole story since
>> this only seems to affect the IMAP login.
> 
> It should work for POP3 as well, all of the SSL code is shared.

I couldn't find the EncryptUpdate call which has to be changed too
(due to the howto documents). Maybe some other call needs e patch.
But I don't know which.

Martin

>> One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in
>> the various articles). Is there any chance that Dovecot gets updated/patched
>> for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.
> 
> I guess I could add ssl_crypto_device setting for this. But I'll need to
> figure out proper ifdefs to avoid compile failures with older OpenSSL
> versions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6350 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20111121/035ec581/attachment.bin>


More information about the dovecot mailing list