hi,
when i was last whining about not knowing a method how to test
starttls'ed sessions (ie. connection is in plain, but switches over to
ssl down the road), some of you guys have expressed interest in a
solution.
now, i've found a way that could provide the solution very easily,
but... but i'm stuck somewhere in between.
i'm not really expecting anyone here be an experienced pike programmer
(except for you, m, and i'm expecting you to hel;p:), so i'm keeping
the long story short:
in my code, i'm setting up acceptable ssl ciphers, which is pretty
much everthing my pike7.2 installation knows about:
context->preferred_suites = ({
SSL_fortezza_dms_with_rc4_128_sha,
SSL_fortezza_dms_with_fortezza_cbc_sha,
SSL_fortezza_dms_with_null_sha,
SSL_dh_anon_with_3des_ede_cbc_sha,
SSL_dh_anon_with_des_cbc_sha,
SSL_dh_anon_with_rc4_128_md5,
SSL_dhe_rsa_with_3des_ede_cbc_sha,
SSL_dhe_rsa_with_des_cbc_sha,
SSL_dhe_dss_with_3des_ede_cbc_sha,
SSL_dhe_dss_with_des_cbc_sha,
SSL_dh_rsa_with_3des_ede_cbc_sha,
SSL_dh_rsa_with_des_cbc_sha,
SSL_dh_dss_with_3des_ede_cbc_sha,
SSL_dh_dss_with_des_cbc_sha,
SSL_rsa_with_3des_ede_cbc_sha,
SSL_rsa_with_des_cbc_sha,
SSL_rsa_with_idea_cbc_sha,
SSL_rsa_with_rc4_128_sha,
SSL_rsa_with_rc4_128_md5,
SSL_dh_anon_export_with_des40_cbc_sha,
SSL_dh_anon_export_with_rc4_40_md5,
SSL_dhe_rsa_export_with_des40_cbc_sha,
SSL_dhe_dss_export_with_des40_cbc_sha,
SSL_dh_rsa_export_with_des40_cbc_sha,
SSL_dh_dss_export_with_des40_cbc_sha,
SSL_rsa_export_with_des40_cbc_sha,
SSL_rsa_export_with_rc2_cbc_40_md5,
SSL_rsa_export_with_rc4_40_md5,
SSL_rsa_with_null_sha,
SSL_rsa_with_null_md5,
SSL_null_with_null_null
});
however, using this ssl socket to connect to exim results in the
following error from my exim:
TLS error on connection from zzz
[1.2.3.4] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
exim is compiled against openssl 0.9.6b, and otherwise it seems to
work fine (ie no problems with ssl clients, sending to ssl hosts and
the like).
i know Matthew won't like me for this :), but the setup is pretty much
expecting opportunistic encryption (so no certs on the exim side, nor
on the client side).
i think i need to note that with a courier imap installation (which i
know nothing further about), from where my test code is coming, a
significantly smaller subset of usable ciphers results in a good
communication with the server.
if anyone has any idea that even remotely seems to be in connection
with the problem, please mail me off-list. i'll of course let the list
know if and when the solution is usable ;)
thanks,
--
[-]
