Patch by Robert Scheck for Zarafa >= 7.1.12 which implements ECDHE (elliptic curve diffie-hellman key exchange) support. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography is providing more information about elliptic curves. Suggestions for testing; run the following openssl(1) commands before and after applying this patch: 1. echo QUIT | openssl s_client -connect :110 -starttls pop3 2>&1 | grep Cipher 2. echo QUIT | openssl s_client -connect :143 -starttls imap 2>&1 | grep Cipher 3. echo QUIT | openssl s_client -connect :237 2>&1 | grep Cipher 4. echo QUIT | openssl s_client -connect :993 2>&1 | grep Cipher 5. echo QUIT | openssl s_client -connect :995 2>&1 | grep Cipher 6. echo QUIT | openssl s_client -connect :8443 2>&1 | grep Cipher After applying this patch the output should contain e.g. "ECDHE-RSA-AES256-GCM-SHA384" on a Red Hat Enterprise Linux 6.5 (only RHEL >= 6.5 has support for elliptic curve). Without this patch the result is e.g. "AES256-GCM-SHA384". Important: The technical implementation of this patch might be not perfect as I am not really a C/C++ developer. The logic and the implementation is heavily based on Sendmail. There should be a code review by an experienced C/C++ and OpenSSL developer before merging into Zarafa core. This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131. Proposed to upstream via e-mail on Mon, 14 Apr 2014 12:04:17 +0200, initial patch was put into upstream ticket https://jira.zarafa.com/browse/ZCP-12237. --- zarafa-7.1.12/common/ECChannel.cpp 2015-04-07 13:10:12.000000000 +0200 +++ zarafa-7.1.12/common/ECChannel.cpp.ssl_ecdhe 2015-04-07 17:12:15.000000000 +0200 @@ -93,6 +93,9 @@ char *ssl_ciphers = lpConfig->GetSetting("ssl_ciphers"); char *ssl_name = NULL; int ssl_op = 0, ssl_include = 0, ssl_exclude = 0; +#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) + EC_KEY *ecdh; +#endif if (lpConfig == NULL) { lpLogger->Log(EC_LOGLEVEL_ERROR, "ECChannel::HrSetCtx(): invalid parameters"); @@ -113,6 +116,16 @@ SSL_CTX_set_options(lpCTX, SSL_OP_ALL); // enable quirk and bug workarounds +#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) + ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + + if (ecdh != NULL) { + SSL_CTX_set_options(lpCTX, SSL_OP_SINGLE_ECDH_USE); + SSL_CTX_set_tmp_ecdh(lpCTX, ecdh); + EC_KEY_free(ecdh); + } +#endif + ssl_name = strtok(ssl_protocols, " "); while(ssl_name != NULL) { int ssl_proto = 0; --- zarafa-7.1.12/provider/server/ECSoapServerConnection.cpp 2015-04-07 13:10:13.000000000 +0200 +++ zarafa-7.1.12/provider/server/ECSoapServerConnection.cpp.ssl_ecdhe 2015-04-07 17:13:23.000000000 +0200 @@ -235,6 +235,9 @@ char *server_ssl_ciphers = m_lpConfig->GetSetting("server_ssl_ciphers"); char *ssl_name = NULL; int ssl_op = 0, ssl_include = 0, ssl_exclude = 0; +#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) + EC_KEY *ecdh; +#endif if(lpServerName == NULL) { free(server_ssl_ciphers); @@ -268,6 +271,16 @@ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL); +#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) + ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + + if (ecdh != NULL) { + SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_SINGLE_ECDH_USE); + SSL_CTX_set_tmp_ecdh(lpsSoap->ctx, ecdh); + EC_KEY_free(ecdh); + } +#endif + ssl_name = strtok(server_ssl_protocols, " "); while(ssl_name != NULL) { int ssl_proto = 0;