[Tickets #13730] Re: Implementation of peer verification in TLS connections

noreply at bugs.horde.org noreply at bugs.horde.org
Fri Dec 26 00:44:07 UTC 2014 

BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE  
E-MAIL-ADRESSE WERDEN NICHT GELESEN.

Ticket-URL: https://bugs.horde.org/ticket/13730
------------------------------------------------------------------------------
  Ticket           | 13730
  Aktualisiert Von | m_horde at secure.mailbox.org
  Zusammenfassung  | Implementation of peer verification in TLS connections
  Warteschlange    | Horde Framework Packages
  Typ              | Enhancement
  Status           | New
  Priorität        | 1. Low
  Milestone        |
  Patch            | 1
  Zuständige       |
+Neue Anlage      |  
0001-Implementation-of-peer-verification-in-TLS-connectio.patch
------------------------------------------------------------------------------


m_horde at secure.mailbox.org (2014-12-26 00:44) hat geschrieben:

On my server I need the peer verification to connect to a remote IMAP  
server. Therefore I focused my effort on that. To avoid using $GLOBALS  
I moved all configuration options in the backend config of IMP. This  
way every backend can be configured seperately.

=== How does it work? ===
There is a new array in the backend config file named "tls_params".  
This stores all necessary information for the TLS connection. Please  
refer to the documentation in backends.conf for details. The involved  
libraries are modified to pass tls_params to Socket Client, where they  
are used to create the SSL context. A new feature is the fingerprint  
check. This cannot be done directly by setting the SSL context,  
because the encryption is enabled after the socket is created.  
Therefore this check has to be done seperatly after the starttls  
command.

=== Benefits ===
Peer verification with a trusted bundle of certificate authorities can  
be enabled for remote IMAP servers. Further the connection can be  
limited to a specified certificate by its fingerprint.

=== Regressions ===
There are no regression I am aware of. As long as the new  
configuration array (tls_params) is not used, the library will work as  
usually.



m_horde at secure.mailbox.org (2014-12-26 00:44) hat hochgeladen:  
0001-Implementation-of-peer-verification-in-TLS-connectio[2].patch

https://bugs.horde.org/h/services/download/?app=whups&actionID=download_file&file=0001-Implementation-of-peer-verification-in-TLS-connectio%5B2%5D.patch&ticket=13730&fn=%2F0001-Implementation-of-peer-verification-in-TLS-connectio%5B2%5D.patch

More information about the bugs mailing list