[Dovecot] OpenSSL fix
Timo Sirainen
tss at iki.fi
Wed Jun 18 04:10:50 EEST 2003
On Wed, 2003-06-18 at 01:27, Jeremy Katz wrote:
> On Sat, 2003-06-14 at 23:58, Timo Sirainen wrote:
> > - OpenSSL problems. Are they really my fault? I have no idea what I
> > could be doing wrong. Maybe some compile option is wrong?
>
> Sorry, found out the answer to this on Friday afternoon (from our local
> ssl guru) and haven't had a chance to sit down and send the reasoning.
>
> Basically, if you're using OpenSSL with the RSA blinding patch as
> supplied by the OpenSSL folks, then the blinding ends up not having
> entropy. This is because /dev/urandom won't exist in your chroot and so
> the SSL entropy isn't able to be setup.
I thought it would have required that in any case..
> Probably the best fix would be initializing SSL bits before the chroot
> (similar to the way timezone setup has to happen). That or making sure
> you have /dev/urandom in your chroot. I was going to look more at the
> former but just haven't had the cycles yet :/
I just looked at OpenSSL sources how it work, I think this would fix it:
diff -u -r1.16 ssl-proxy-openssl.c
--- ssl-proxy-openssl.c 11 Jun 2003 23:26:13 -0000 1.16
+++ ssl-proxy-openssl.c 18 Jun 2003 01:08:07 -0000
@@ -13,6 +13,7 @@
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
+#include <openssl/rand.h>
#define SSL_CIPHER_LIST "ALL:!LOW"
@@ -403,6 +404,7 @@
void ssl_proxy_init(void)
{
const char *certfile, *keyfile, *paramfile;
+ char buf;
certfile = getenv("SSL_CERT_FILE");
keyfile = getenv("SSL_KEY_FILE");
@@ -439,6 +441,11 @@
if (SSL_CTX_need_tmp_RSA(ssl_ctx))
SSL_CTX_set_tmp_rsa_callback(ssl_ctx, ssl_gen_rsa_key);
+
+ /* PRNG initialization might want to use /dev/urandom, make sure it
+ does it before chrooting. */
+ if (RAND_bytes(&buf, 1) != 1)
+ i_fatal("RAND_bytes() failed: %s\n", ssl_last_error());
ssl_proxies = hash_create(default_pool, default_pool, 0, NULL, NULL);
ssl_initialized = TRUE;
More information about the dovecot
mailing list