[Pkg-Cyrus-imapd-Debian-devel] Re: Experimental cyrus22 packages (preview of upcoming official packages) available on alioth

[Sven Mueller]

Henrique de Moraes Holschuh wrote on 15/04/2005 22:48:
> On Fri, 15 Apr 2005, Sven Mueller wrote:
> 
>>So: The problem I had with SSL in cyrus22 (for some reason not in
>>cyrus21 as far as I can tell) is actually a problem that doesn't exist
>>if your SSL certificate and key really match.
> 
> 
> That means the other software need a major twack in the head and bugs filed
> because they had to notice the problem as well, instead of operating with a
> broken certificate.  Is that correct?  If so, please file bugs :)
> 
I will do that as soon as I had a chance to study the differences
between their usages of the openSSL functions in relation to
cyrus-imapd. However I really wonder why no client noticed a problem
with the SSL protection. I mean: How can a key for one cert create a
valid SSL protected encryption when it is presented with a different cert?

And I just checked: postfix 2.2.2 and cyrus-imapd 2.2.12 use exactly the
same functions to load (and check!) the cert/key pair. I have absolutely
no idea how they could exhibit a behaviour this different.

I even made a minimal C program which simply tried to load the defective
cert/key pair using the routines used in postfix 2.2.2 and cyrus-2.2.12
respectively. Both were 99% identical (no wonder since the both use the
sample routine from openssl) and both failed to load the pair.

If anything, this should be a bug against openssl because the routine
failed while loading the private key, _before_ the pair is verified.
IMHO, it should fail in the verify step instead.

But I'm not even sure about that yet, so I will withhold filing the
bug(s) until I know for sure.

For now, I changed the error message used when the key couldn't be
loaded to give a hint that the key/cert pair might not match.

cu,
sven