[Dovecot] Solaris hardware crypto engines

Chris Hoogendyk hoogendyk at bio.umass.edu
Tue Nov 22 00:26:58 EET 2011



On 11/21/11 4:52 PM, Timo Sirainen wrote:
> On Mon, 2011-11-21 at 10:18 +0100, Martin Preen wrote:
>> Hello,
>> after serveral tests (and reading a lot of howto's) I'm now fairly convinced
>> that the Solaris HW-crypto engine is not automatically used. Even when dovecot
>> ist compiled with the OpenSSL version provided by Solaris.
>>
>> Currently I have only a T1-CPU available for testing (Sun Fire T2000) and
>> after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
>>
>>    ENGINE *e;
>>    ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11")));
> Does "openssl engine" return this "pkcs11" string?
>
>>    ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e);
>>    ENGINE_set_default_ciphers(e);
>>
>> in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit()
>> the crypto device gets used. I'm sure that this is not the whole story since
>> this only seems to affect the IMAP login.
> It should work for POP3 as well, all of the SSL code is shared.
>
>> One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in
>> the various articles). Is there any chance that Dovecot gets updated/patched
>> for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.
> I guess I could add ssl_crypto_device setting for this. But I'll need to
> figure out proper ifdefs to avoid compile failures with older OpenSSL
> versions.

Just a quick comment -- the Sun instructions for setting up Apache specifically noted the importance 
of specifying "SSLCryptoDevice pkcs11" in httpd.conf.

So, the OpenSSL provided by Solaris will do what it should, IFF pkcs11 is specified by the program 
that is calling it.

I had an email exchange with a Solaris developer at some point, who said that GnuPG simply could not 
use the crypto device, because it was built with libcrypt, did not use the pkcs11 engine, and it 
would take a significant rewrite to make it do so.


-- 
---------------

Chris Hoogendyk

-
    O__  ---- Systems Administrator
   c/ /'_ --- Biology&  Geology Departments
  (*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst

<hoogendyk at bio.umass.edu>

---------------

Erdös 4





More information about the dovecot mailing list