Timo Sirainen wrote:
On Mon, 2011-11-21 at 10:18 +0100, Martin Preen wrote:
Hello, after serveral tests (and reading a lot of howto's) I'm now fairly convinced that the Solaris HW-crypto engine is not automatically used. Even when dovecot ist compiled with the OpenSSL version provided by Solaris.
Currently I have only a T1-CPU available for testing (Sun Fire T2000) and after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
ENGINE *e; ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11")));
Does "openssl engine" return this "pkcs11" string?
This requires the Solaris OpenSSL version (or another version using the pkcs11 patch).
# /usr/sfw/bin/openssl engine (pkcs11) PKCS #11 engine support
ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e);
in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit() the crypto device gets used. I'm sure that this is not the whole story since this only seems to affect the IMAP login.
It should work for POP3 as well, all of the SSL code is shared.
I couldn't find the EncryptUpdate call which has to be changed too (due to the howto documents). Maybe some other call needs e patch. But I don't know which.
Martin
One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in the various articles). Is there any chance that Dovecot gets updated/patched for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.
I guess I could add ssl_crypto_device setting for this. But I'll need to figure out proper ifdefs to avoid compile failures with older OpenSSL versions.