Patches to enable SSL for ucspi-tcp in order to run fefe's
All patches are based on
The original patch enabling SSL is
(originally used for qmail over SSL), c.f.
fnord mini HOWTO
We have a jail patch
which includes André's patch and adds options -j and -J,
to have the SSL translator process chroot to a jail directory (-J),
which should be completely empty,
and drop root to a nonprivileged uid (-j) before starting
any SSL communications.
This way, if the SSL is compromised by yet another OpenSLL buffer overflow,
the damage is limited to
- manipulating the communication,
which is no problem since the other side can send any crap it wants
even via an uncompromised SSL connection, anyway
- using up ressources,
which can be addressed using softlimit and/or quotas for the jail user
- exploiting kernel bugs
like the recent do_mremap issue, which you should fix
The CA cert file patch
includes the other patches and adds an option -a to specify a file
containing CA (certificate authority) certificates like
with the Apache mod_ssl option SSLCACertificateFile.
Note that unlike Apache, fnord/ucspi-tcp-ssl does not perform
client authentication. Yet, special CA certificates are sometimes needed
if an intermediate certificate used by your issuing CA expires
(which recently happened for some Verisign intermediate certs).
So, to add to the
Intermediate CA Replacement Instructions
: for fnord/ucspi-tcp-ssl, get this patch and the new "intermediate.crt"
offered by Verisign and run tcpserver with "-a intermediate.crt". That's it.
Note that the file given with -a is passed to SSL_CTX_load_verify_locations
and thus may contain several CA certificates, which will be used during
SSL connection negotiation to close any gap in the certificate chain.