[Dovecot] SSL / TLS

Timo Sirainen tss at iki.fi
Mon Jul 27 04:41:19 EEST 2009


On Sun, 2009-07-12 at 19:41 +0100, Ed W wrote:
> Actually that ended up being mainly about the COMPRESS protocol 
> extension - that is interesting, but I personally doubt it offers much 
> extra over a simple outer layer protocol compression algorithm, eg 
> native SSL compression.  (However, would settle for either/both...).  
> Some time back you suggested the SSL compression fix was a one liner on 
> the dovecot side though?

After trying ages to figure this out, I finally found out that it
already works for SSL, as long as OpenSSL is compiled with zlib support.
You can verify this with gnutls-cli (but not openssl s_client):

gnutls-cli --priority NORMAL:+COMP-DEFLATE -p 993 --insecure localhost
..
- Compression: DEFLATE

Also interestingly enough I couldn't make compression work with
gnutls-serv..

> As an aside would it help to have some sample code for zlib?  

Maybe some small sample code could be useful. Although I could also look
at how GNUTLS does it.

> My problem 
> is I don't know where to add it for the COMPRESS protocol 
> implementation...  Zlib itself is pretty straightforward though.

If you (or someone) can implement deflate istream and inflate ostream
code for Dovecot, I can do the rest.

BTW. For Dovecot v2.0 I'm also thinking about changing ssl-proxy code to
be ssl-istream and ssl-ostream instead and then make a bit more generic
login-proxy where you can give any i/ostreams. That'll also make
implementing COMPRESS support easier..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090726/78bb9c4f/attachment.bin 


More information about the dovecot mailing list