On Fri, Sep 20, 2024 at 01:53:10AM +1000, Viktor Dukhovni via Postfix-users
wrote:
> Let's let the code bake in, and if nothing further needs to change, I'll
> drop Wietse a fresh pointer to the git branch.
I looked more closely at the available OpenSSL APIs, and found a way for
the client to obtain the KEM group name even with OpenSSL 3.0, 3.1, not
just 3.2 and up. The top commit on the branch got ammended accordingly:
Basically, the OpenSSL 3.2 SSL_get0_group_name() function can be
emulated as a combination of two calls in 3.0 and 3.1:
#if OPENSSL_VERSION_PREREQ(3,2)
#define TLS_GROUP_NAME(ssl) SSL_get0_group_name(ssl)
#elif OPENSSL_VERSION_PREREQ(3,0)
#define TLS_GROUP_NAME(ssl) \
SSL_group_to_name((ssl), SSL_get_negotiated_group(ssl))
#else
#define TLS_GROUP_NAME(ssl) ((const char *)0)
#endif
(internally there's an extra pair of conversions that the preferred 3.2
version avoids).
I've tested that this compiles and works with OpenSSL 1.1.1, 3.0 and
3.2, but only with stock key exchage methods (x25519, ECDHE and DHE).
If it is possible to test kyber768 with OpenSSL 3.0 or 3.1, please do,
and post your findings to the list.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
