On Thu, Sep 19, 2024 at 01:01:42 +1000, Viktor Dukhovni via Postfix-users wrote:
> The OBJ_sn2nid() function is not extensible, and not affected by loading
> of providers. To actually be able to map this algorithm to a "nid", the
> base OpenSSL code would have to know about "x25519_kyber768".
Ok, that explains. So this will only work with a version of openssl
that knows those names, even if they're implemented externally.
> That's because nginx must not solely rely on OBJ_sn2nid for these
> groups.
Oh, I see now. If SSL_CTX_set1_curves_list() is defined, nginx runs
it directly on the whole list (without checking the elements first).
OBJ_sn2id is only used for older openssl.
Dovecot also runs SSL_CTX_set1_curves_list() directly (and probably
doesn't support older openssl anymore)
Btw, postfix has no way to NOT set any curves/groups, and let openssl
choose?
Geert
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
