Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. DBMail>
  3. dev
[DBMail 0001066]: Patch to add DHE/PFS TLS support
bugtrack at dbmail
Mar 18, 2015, 6:08 AM
Post #1 of 2 (1412 views)
Permalink
The following issue has been SUBMITTED.
======================================================================
http://www.dbmail.org/mantis/view.php?id=1066
======================================================================
Reported By: dfroe
Assigned To:
======================================================================
Project: DBMail
Issue ID: 1066
Category: General
Reproducibility: N/A
Severity: feature
Priority: normal
Status: new
target:
======================================================================
Date Submitted: 24-Jan-15 17:36 CET
Last Modified: 24-Jan-15 17:36 CET
======================================================================
Summary: Patch to add DHE/PFS TLS support
Description:
To enhance the security of dbmail's TLS layer using OpenSSL I added some
code to include DHE/PFS support as well as some minor tweaks (disabling
SSLv2/3 and prefering the server cipher suite).
See attachment for a proof of concept.
For me this works fine with dbmail 3.2.1 and openssl 1.0.1l.
Maybe this can be added into git for general use in future releases.
======================================================================

Issue History
Date Modified Username Field Change
======================================================================
24-Jan-15 17:36 dfroe New Issue
24-Jan-15 17:36 dfroe File Added: dbmail-tls-dh.patch

======================================================================

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
[DBMail 0001066]: Patch to add DHE/PFS TLS support [ In reply to ]
bugtrack at dbmail
Mar 18, 2015, 6:08 AM
Post #2 of 2 (1360 views)
Permalink
A NOTE has been added to this issue.
======================================================================
http://www.dbmail.org/mantis/view.php?id=1066
======================================================================
Reported By: dfroe
Assigned To:
======================================================================
Project: DBMail
Issue ID: 1066
Category: General
Reproducibility: N/A
Severity: feature
Priority: normal
Status: new
target:
======================================================================
Date Submitted: 24-Jan-15 17:36 CET
Last Modified: 04-Mar-15 21:51 CET
======================================================================
Summary: Patch to add DHE/PFS TLS support
Description:
To enhance the security of dbmail's TLS layer using OpenSSL I added some
code to include DHE/PFS support as well as some minor tweaks (disabling
SSLv2/3 and prefering the server cipher suite).
See attachment for a proof of concept.
For me this works fine with dbmail 3.2.1 and openssl 1.0.1l.
Maybe this can be added into git for general use in future releases.
======================================================================

----------------------------------------------------------------------
(0003689) dfroe (reporter) - 04-Mar-15 21:51
http://www.dbmail.org/mantis/view.php?id=1066#c3689
----------------------------------------------------------------------
Using the following code within tls_init method will also enable simple
elliptic curve support (ECDHE).

/* Apply OpenSSL options and init DH/ECDH */
long options = 0;
options |= SSL_OP_CIPHER_SERVER_PREFERENCE; /* Enforce prefered cipher */
options |= SSL_OP_NO_SSLv2; /* Disable SSLv2 (broken) */
options |= SSL_OP_NO_SSLv3; /* Disable SSLv3 (poodle) */
options |= SSL_OP_SINGLE_DH_USE; /* Ensure real PFS for DH */
options |= SSL_OP_SINGLE_ECDH_USE; /* Ensure real PFS for ECDH */
SSL_CTX_set_options(ctx, options);
SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh) {
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
}

Issue History
Date Modified Username Field Change
======================================================================
24-Jan-15 17:36 dfroe New Issue
24-Jan-15 17:36 dfroe File Added: dbmail-tls-dh.patch

04-Mar-15 21:51 dfroe Note Added: 0003689
======================================================================

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal