On Tue, Feb 13, 2024 at 01:20:00PM -0500, Wietse Venema via Postfix-users wrote:
> > Obsoleted by automatic negotiation in the SSL code:
> >
> > - smtpd_tls_dh1024_param_file = auto
> > - smtpd_tls_eecdh_grade = auto
> >
> > [ We could delete the underlying support code for the explicit choices,
> > and always use 'auto' with a warning if the configuration specifies
> > a different choice. Mind you, automatic DH group negotiation is
> > prone to choosing largish > 2048-bit groups, when the server will sign
> > with a large RSA private key, but this feels somewhat justifiable. ]
>
> Isn't that TLS version dependent, or have we already lost support for
> the old way?
For EECDH, "auto" has worked for a long time, and is basically an
interoperability requirement!
Automatic (FF)DH group selection in the SSL stack requires OpenSSL 3.0,
but recent Postfix versions emulate "auto" by using a compiled in DH
group, which is quite "good enough" in practice. So "auto" already
works.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
