[Dovecot] DSA support for TLS?
hi all,
i've dovecot TLS working correctly w/ locally generated *RSA* CA cert, domain privkey & self-signed domain cert. to that end, my dovecot.conf includes:
ssl_key_file = /var/Security/mail.testdomain.com.privkey.rsa.pem ssl_cert_file = /var/Security/mail.testdomain.com.cert.rsa.pem ssl_ca_file = /var/Security/MyCertificateAuthority.CA.cert.rsa.pem ssl_verify_client_cert = no ssl_cipher_list = ALL:!SSLv2:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
however, if I try to setup for DSA use:
ssl_key_file = /var/Security/mail.testdomain.com.privkey.dsa.pem ssl_cert_file = /var/Security/mail.testdomain.com.cert.dsa.pem ssl_ca_file = /var/Security/MyCertificateAuthority.CA.cert.dsa.pem ssl_verify_client_cert = no ssl_parameters_file = /var/Security/dsaparam.pem ssl_parameters_regenerate = 0
an attempt @ dovecot launch results in a logged error of:
dovecot: Sep 11 11:58:43 Error: imap-login: Can't load private key file /var/Security/mail.testdomain.com.privkey.dsa.pem: error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key
wherein it looks like dovecot is _still_ seeking an RSA key.
fwiw,
% cat /var/Security/mail.testdomain.com.privkey.dsa.pem
-----BEGIN DSA PRIVATE KEY-----
...i've searched the dovecot wiki, and although the _only_ reference i find to dsa/diffie is @:
http://wiki.dovecot.org/moin.cgi/MainConfig
" ...
SSL parameter file. Master process generates this file for login processes. It contains Diffie Hellman and RSA parameters. ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat ... "
it does seem to imply that DSA certs are, at least, supported.
comments?
cheers,
richard
On Sun, 2005-09-11 at 12:52 -0700, OpenMacNews wrote:
dovecot: Sep 11 11:58:43 Error: imap-login: Can't load private key file /var/Security/mail.testdomain.com.privkey.dsa.pem: error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key
Well, I'm not sure why so many other programs seem to want to require RSA private keys (where I looked at examples how to use OpenSSL), but I think this patch fixes it (committing to CVS too): Index: src/login-common/ssl-proxy-openssl.c =================================================================== RCS file: /var/lib/cvs/dovecot/src/login-common/ssl-proxy-openssl.c,v retrieving revision 1.28 diff -u -r1.28 ssl-proxy-openssl.c --- src/login-common/ssl-proxy-openssl.c 18 Sep 2005 14:43:10 -0000 1.28 +++ src/login-common/ssl-proxy-openssl.c 18 Sep 2005 15:55:35 -0000 @@ -487,8 +487,8 @@ certfile, ssl_last_error()); } - if (SSL_CTX_use_RSAPrivateKey_file(ssl_ctx, keyfile, - SSL_FILETYPE_PEM) != 1) { + if (SSL_CTX_use_PrivateKey_file(ssl_ctx, keyfile, + SSL_FILETYPE_PEM) != 1) { i_fatal("Can't load private key file %s: %s", keyfile, ssl_last_error()); }
hi timo,
On Sun, 2005-09-11 at 12:52 -0700, OpenMacNews wrote:
dovecot: Sep 11 11:58:43 Error: imap-login: Can't load private key file /var/Security/mail.testdomain.com.privkey.dsa.pem: error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key
Well, I'm not sure why so many other programs seem to want to require RSA private keys (where I looked at examples how to use OpenSSL), but I think this patch fixes it (committing to CVS too):
Index: src/login-common/ssl-proxy-openssl.c =================================================================== RCS file: /var/lib/cvs/dovecot/src/login-common/ssl-proxy-openssl.c,v retrieving revision 1.28 diff -u -r1.28 ssl-proxy-openssl.c --- src/login-common/ssl-proxy-openssl.c 18 Sep 2005 14:43:10 -0000 1.28 +++ src/login-common/ssl-proxy-openssl.c 18 Sep 2005 15:55:35 -0000 @@ -487,8 +487,8 @@ certfile, ssl_last_error()); }
- if (SSL_CTX_use_RSAPrivateKey_file(ssl_ctx, keyfile, - SSL_FILETYPE_PEM) != 1) { + if (SSL_CTX_use_PrivateKey_file(ssl_ctx, keyfile, + SSL_FILETYPE_PEM) != 1) { i_fatal("Can't load private key file %s: %s", keyfile, ssl_last_error()); }
i DL'd the latest CVS, verifying the patch above ... build went fine. using rsa is still ok. now, when i try to connect w/ DSA i get, in dovecot log, a lightly different error: dovecot: Sep 18 16:28:19 Warning: imap-login: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [10.0.0.6] dovecot: Sep 18 16:28:19 Info: imap-login: Disconnected: rip=10.0.0.6, lip=10.0.0.5, TLS this is with: ssl_listen = * ssl_disable = no verbose_ssl = yes ssl_key_file = /var/Data/Security/mail.mydomain.com.privkey.rsa.pem ssl_cert_file = /var/Data/Security/mail.mydomain.com.cert.rsa.pem ssl_ca_file = /var/Data/Security/mydomain.CA.cert.rsa.pem ssl_verify_client_cert = no ssl_parameters_file = /var/Data/Security/mydomain.dsaparam.pem ssl_parameters_regenerate = 0 ssl_cipher_list = ALL:!SSLv2:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH in my dovecot config ... cheers, richard
On Sun, 2005-09-18 at 16:36 -0700, OpenMacNews wrote:
dovecot: Sep 18 16:28:19 Warning: imap-login: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [10.0.0.6]
Well, this is the error and I don't know if I can do anything about that. Maybe it's a client problem?
ssl_cipher_list = ALL:!SSLv2:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
What if you just put ALL here, does it then find a working cipher?
Anyway, I'm not all that familiar with SSL problems. Maybe you can get better answers from some OpenSSL-related mailing list.
hi timo,
dovecot: Sep 18 16:28:19 Warning: imap-login: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [10.0.0.6]
Well, this is the error and I don't know if I can do anything about that. Maybe it's a client problem?
thought so too ... i've posed questions to my client (Mulberry) email list. no answer yet.
ssl_cipher_list = ALL:!SSLv2:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTHWhat if you just put ALL here, does it then find a working cipher?
nope, same issue ...
Anyway, I'm not all that familiar with SSL problems. Maybe you can get better answers from some OpenSSL-related mailing list.
fair enuf.
anyway, dsa is low priority for now, as rsa works great and can be made to work for all clients.
for now, sieve operation/management is much more of a priority ... more on the list later.
cheers,
richard
participants (2)
-
OpenMacNews
-
Timo Sirainen