Loading ...
Sorry, an error occurred while loading the content.
 

Re: STARTTLS problems

Expand Messages
  • Viktor Dukhovni
    ... This is not nearly so dire. Very few users are Using OpenSSL 1.0.1, or 1.0.1a. Most OS distributions are still on 0.9.8x or 1.0.0. By the time these
    Message 1 of 17 , Apr 25, 2012
      On Wed, Apr 25, 2012 at 06:25:06AM -0500, Noel Jones wrote:

      > On 4/25/2012 4:07 AM, Mark Alan wrote:
      >
      > > While the postfix updates do not get into into each distribution
      > > repositories, should we use the following?
      > >
      > > postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2'
      > > postconf -e 'smtp_tls_protocols = !SSLv2, !TLSv1.2'
      >
      > It seems this is a reasonable setting for sites that have upgraded
      > both openssl and postfix to latest versions.
      >
      > Unfortunately, the !TLSv1.2 option will give an "unknown protocol"
      > error unless BOTH your postfix knows about that option, AND postfix
      > is linked with an openssl version that has that option. End result
      > is this can't be a global postfix default setting, and can't be used
      > on older postfix versions. There is no workaround for this.

      This is not nearly so dire. Very few users are Using OpenSSL 1.0.1,
      or 1.0.1a. Most OS distributions are still on 0.9.8x or 1.0.0.

      By the time these distributions upgrade to 1.0.1a and ship a Postfix
      linked with that OpenSSL version, perhaps the interoperability
      issues will be resolved in either OpenSSL, the problem peers, or
      both.

      So the work-around is a not a suitable Postfix default setting, it
      is just a work-around, and as such needs to by applied only by
      the brave souls (running bleeding edge OpenSSL libraries) who
      need it.

      I'm (slowly, not much time for this) working on a general mechanism
      to allow disabling of *future* TLS versions, without new Postfix
      code, but this may well not be needed for a decade or more, there
      is not much evidence of a TLS 1.3 in the making, and standards
      groups take years to product a new standard and further years elapse
      before these standards are implemented.

      The immediate work-around is sufficient for a long time, and I
      expect that the interoperability issues in TLS will be addressed
      by the major platforms.

      --
      Viktor.
    Your message has been successfully submitted and would be delivered to recipients shortly.