On Thu, Sep 19, 2024 at 02:02:50 +1000, Viktor Dukhovni via Postfix-users wrote: > This makes it possible to write "forward-looking" configs that will use > newer groups once they're available in the OpenSSL runtime.
Well actually, in this case it achieves the opposite, as the individual checking prohibits using newer groups from an external provider. Just throwing some ideas; Would it be an option to pass the list through SSL_CTX_set1_curves_list() first, and only if that fails, fall back to checking the individual elements? Or perhaps if the list is quoted, or via some other marker, take it as a verbatim input for SSL_CTX_set1_curves_list() ? This would also help if the list gets additional semantics, eg. as proposed here: https://github.com/openssl/openssl/issues/21633#issuecomment-2172613097 Or would it be possible to specify unknown groups by numerical algorithm id? (much like the numerical smtpd_tls_protocols) Or not sn2nid check an individual element if it's quoted? (in any case it would then clearly be the administrator's responsibility not to shoot himself in the foot.) Geert _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
