• News
• Download
• Documentation
  • Overview
  • Architecture
  • Installation
  • Man pages
• Roadmap
• Mailing Lists
• FAQ

TLS support in Archiveopteryx

TLS provides privacy and integrity protection to protocols like IMAP and SMTP. (It is best known for its use by «secure web sites».)

Archiveopteryx offers to use TLS with all supported protocols. All clients that support TLS will normally use it with Archiveopteryx.

At the present time, Archiveopteryx never initiates connections, so it does not need to provide client-side TLS, certificate matching etc.

Archiveopteryx uses the Open Source Cryptlib library to implement TLS.

Certificates

Archiveopteryx supports using the usual sort of certificate from a proper CA.

If you have a certificate in OpenSSL format, Abhijit Menon-Sen has written a program to convert certificates/keys from that format to Cryptlib's.

In addition, Archiveopteryx can generate a certificate for itself: If there is no configured certificate, Archiveopteryx silently generates a self-signed certificate at startup. While we don't think using self-signed certificates is a very good idea, it's much better than using plain text.

Ciphers

With TLS, the server offers a list of ciphers to the client, and the client chooses.

At the present time, Archiveopteryx offers to use most of the ciphers cryptlib supports, avoiding only patented and obscure ones. At some point, we plan to add a configuration option, such that the sysadmin can choose what ciphers are permitted, and by default only strong ciphers will be offered to the client.

In case of questions, please write to info@oryx.com.

Relevant links

• Cryptlib is the TLS implementation Oryx uses
• TLS working group (RFCs, etc)
• Introduction to TLS at apache.org

About this page

Last modified: 2007-12-01
Location: aox.org/tls