Mercurial > dovecot > original-hg > dovecot-1.2
changeset 1544:ac6ee442376d HEAD
OpenSSL proxy changes - hopefully fixes something. Also don't crash with
"key not found from hash" if SSL handshake fails.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Thu, 12 Jun 2003 02:26:13 +0300 |
parents | 7ac153f21949 |
children | 9ce3f3f950c5 |
files | src/login-common/ssl-proxy-gnutls.c src/login-common/ssl-proxy-openssl.c |
diffstat | 2 files changed, 16 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/src/login-common/ssl-proxy-gnutls.c Thu Jun 05 02:00:44 2003 +0300 +++ b/src/login-common/ssl-proxy-gnutls.c Thu Jun 12 02:26:13 2003 +0300 @@ -333,6 +333,8 @@ proxy->fd_plain = sfd[0]; proxy->ip = *ip; + hash_insert(ssl_proxies, proxy, proxy); + proxy->refcount++; ssl_handshake(proxy); if (!ssl_proxy_destroy(proxy)) { @@ -342,7 +344,6 @@ } main_ref(); - hash_insert(ssl_proxies, proxy, proxy); return sfd[1]; }
--- a/src/login-common/ssl-proxy-openssl.c Thu Jun 05 02:00:44 2003 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Thu Jun 12 02:26:13 2003 +0300 @@ -14,6 +14,8 @@ #include <openssl/ssl.h> #include <openssl/err.h> +#define SSL_CIPHER_LIST "ALL:!LOW" + enum ssl_io_action { SSL_ADD_INPUT, SSL_REMOVE_INPUT, @@ -320,7 +322,6 @@ return -1; } - SSL_set_accept_state(ssl); if (SSL_set_fd(ssl, fd) != 1) { i_error("SSL_set_fd() failed: %s", ssl_last_error()); SSL_free(ssl); @@ -344,6 +345,8 @@ proxy->fd_plain = sfd[0]; proxy->ip = *ip; + hash_insert(ssl_proxies, proxy, proxy); + proxy->refcount++; ssl_handshake(proxy); if (!ssl_proxy_unref(proxy)) { @@ -353,7 +356,6 @@ } main_ref(); - hash_insert(ssl_proxies, proxy, proxy); return sfd[1]; } @@ -401,7 +403,6 @@ void ssl_proxy_init(void) { const char *certfile, *keyfile, *paramfile; - int ret; certfile = getenv("SSL_CERT_FILE"); keyfile = getenv("SSL_KEY_FILE"); @@ -418,14 +419,20 @@ if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) i_fatal("SSL_CTX_new() failed"); - ret = SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile); - if (ret != 1) { + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); + + if (SSL_CTX_set_cipher_list(ssl_ctx, SSL_CIPHER_LIST) != 1) { + i_fatal("Can't set cipher list to '%s': %s", + SSL_CIPHER_LIST, ssl_last_error()); + } + + if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) { i_fatal("Can't load certificate file %s: %s", certfile, ssl_last_error()); } - ret = SSL_CTX_use_PrivateKey_file(ssl_ctx, keyfile, SSL_FILETYPE_PEM); - if (ret != 1) { + if (SSL_CTX_use_RSAPrivateKey_file(ssl_ctx, keyfile, + SSL_FILETYPE_PEM) != 1) { i_fatal("Can't load private key file %s: %s", keyfile, ssl_last_error()); }