On Wed, Sep 18, 2024 at 07:58:31PM +0200, Geert Hendrickx via Postfix-users wrote:
> On Thu, Sep 19, 2024 at 02:02:50 +1000, Viktor Dukhovni via Postfix-users > wrote: > > This makes it possible to write "forward-looking" configs that will use > > newer groups once they're available in the OpenSSL runtime. > > Well actually, in this case it achieves the opposite, as the individual > checking prohibits using newer groups from an external provider. Only for a handful of early adopters who want to test-drive bleeding-edge algorithms only available in add-on "providers". Making configurations more portable is IMNSHO the greater good. > Would it be an option to pass the list through SSL_CTX_set1_curves_list() > first, and only if that fails, fall back to checking the individual elements? Not necessary. Just need to change how elements are tested, from testing "nids" to testing singleton strings. > Or perhaps if the list is quoted, or via some other marker, take it as a > verbatim input for SSL_CTX_set1_curves_list() ? No need. > This would also help if the list gets additional semantics, eg. as proposed > here: https://github.com/openssl/openssl/issues/21633#issuecomment-2172613097 Not a problem, the proposed decoration would be part of the element, but I'm arguing that it is not needed. https://github.com/openssl/openssl/issues/21633#issuecomment-2359871975 > Or would it be possible to specify unknown groups by numerical algorithm > id? (much like the numerical smtpd_tls_protocols) Or not sn2nid check an > individual element if it's quoted? There's no API for that, OpenSSL accepts "nids" or names, and for external provider algorithms there are no "nids". -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
