On Wed, Sep 18, 2024 at 01:04:58PM +0200, Geert Hendrickx wrote:
> Specifically, this provider implements new Key Encapsulation Methods like
> "x25519_kyber768", which I can use with `openssl s_server -groups`, or with
> nginx as `ssl_ecdh_curve`, but not with Postfix in `tls_eecdh_auto_curves`.
> Postfix keeps logging:
>
> > warning: ignoring unknown key exchange group "x25519_kyber768"
What Postfix process is logging this? You should initially test with
"posttls-finger", and ultimately make sure that your smtp(8) and/or
smtpd(8) processes are not chrooted, lest that get in the way of loading
the provider.
> Looking at the code in src/tls/tls_dh.c, Postfix verifies each group name
> in tls_eecdh_auto_curves and tls_ffdhe_auto_groups with OBJ_sn2nid(3),
And then tries to use the group in a throw-away SSL_CTX, but I guess
that would not log the above warning:
int nid = EC_curve_nist2nid(group);
if (nid == NID_undef)
nid = OBJ_sn2nid(group);
if (nid == NID_undef)
nid = OBJ_ln2nid(group);
if (nid == NID_undef) {
msg_warn("ignoring unknown key exchange group \"%s\"", group);
continue;
}
/*
* Validate the NID by trying it as the group for a throw-away SSL
* context. Silently skip unsupported code points. This way, we can
* list X25519 and X448 as soon as the nids are assigned, and before
* the supporting code is implemented. They'll be silently skipped
* when not yet supported.
*/
if (SSL_CTX_set1_curves(tmpctx, &nid, 1) <= 0) {
continue;
}
Are your Postfix executables linked against the same OpenSSL library
that has support for these new groups?
> but so does nginx, which does accept that name.
Must be linked with a different OpenSSL then.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
