[Pkg-Cyrus-imapd-Debian-devel] Re: Experimental cyrus22 packages
(preview of upcoming official packages) available on alioth
Sven Mueller
pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org
Sat, 16 Apr 2005 00:36:57 +0200
Henrique de Moraes Holschuh wrote on 15/04/2005 22:48:
> On Fri, 15 Apr 2005, Sven Mueller wrote:
>
>>So: The problem I had with SSL in cyrus22 (for some reason not in
>>cyrus21 as far as I can tell) is actually a problem that doesn't exist
>>if your SSL certificate and key really match.
>
>
> That means the other software need a major twack in the head and bugs filed
> because they had to notice the problem as well, instead of operating with a
> broken certificate. Is that correct? If so, please file bugs :)
>
I will do that as soon as I had a chance to study the differences
between their usages of the openSSL functions in relation to
cyrus-imapd. However I really wonder why no client noticed a problem
with the SSL protection. I mean: How can a key for one cert create a
valid SSL protected encryption when it is presented with a different cert?
And I just checked: postfix 2.2.2 and cyrus-imapd 2.2.12 use exactly the
same functions to load (and check!) the cert/key pair. I have absolutely
no idea how they could exhibit a behaviour this different.
I even made a minimal C program which simply tried to load the defective
cert/key pair using the routines used in postfix 2.2.2 and cyrus-2.2.12
respectively. Both were 99% identical (no wonder since the both use the
sample routine from openssl) and both failed to load the pair.
If anything, this should be a bug against openssl because the routine
failed while loading the private key, _before_ the pair is verified.
IMHO, it should fail in the verify step instead.
But I'm not even sure about that yet, so I will withhold filing the
bug(s) until I know for sure.
For now, I changed the error message used when the key couldn't be
loaded to give a hint that the key/cert pair might not match.
cu,
sven