[BlueOnyx:13693] Re: error in new ssl settings for admserv?

[Michael Stauber]

Hi Dan,

> I've just been reading this and wanted to say a HUGE thank you for this 
> work.  It's the sort of thing I do for my customers but couldn't really 
> do for our BX boxes as the config is so ingrained into BX itself.

Thank you. There is a bit more that I want to do there. Both short term
and long term. Like let us take a long hard look at what we can do in
regards to email over SSL. There certainly are similar improvements that
can and need to be done in that respect.

With that I'm also looking for suggestions at what can and should be done.

Long term wise I'm considering to shift certain daemons on BlueOnyx
520XR (currently in development) towards less dependency on the crippled
OpenSSL that RedHat (and therefore CentOS and/or Scientific Linux)
provide. That way we could use the more secure ECDH ciphers for both
HTTPS and other SSL related protocols.

For that we'd need to use a self compiled OpenSSL (installed in a
separate directory) and compiling certain daemons such as the latest
Apache (or Nginx) against it. That could also include a newer OpenSSH.
Dovecot and ProFTPD are already served out of the BlueOnyx repositories,
so we could simply recompile them against that newer OpenSSL as well.

But I don't want to make a hasty decision there, as such a change
requires architectural changes that have a lot of impact on the ability
to maintain the distribution as a whole.

Ultimately it's not just a software problem, but goes a lot deeper.

-- 
With best regards

Michael Stauber