On Mon, Sep 23, 2024 at 10:09:12AM +0200, Geert Hendrickx via Postfix-users wrote:
> Tested with OpenSSL 3.0 as well now (RHEL 9 version), with oqs-provider added. > > $ openssl version > OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022) > > $ ./bin/postconf mail_version > mail_version = 3.10-20240917 > (built from Viktor's provider-kex branch) That is: https://github.com/vdukhovni/postfix/commits/provider-kex/ @Wietse, I believe this is now sufficiently mature for adoption. The HISTORY file has a suitable blurb. This is not a release-notes-worthy change, just avoids loss of minor forensic detail for externally loaded kex "groups" (or, more generally, KEMs). > $ ./bin/posttls-finger -c -o tls_eecdh_auto_curves='x25519_mlkem768 > x25519_kyber768 X25519' gmail.com | grep established > posttls-finger: Untrusted TLS connection established to > gmail-smtp-in.l.google.com[2a00:1450:400c:c0b::1a]:25: TLSv1.3 with cipher > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519_mlkem768 > server-signature ECDSA (prime256v1) server-digest SHA256 Nice, thanks. > (Google is now supporting both x25519_kyber768 and x25519_mlkem768, both > preferred over traditional TLSv1.3 key exchanges with HRR.) [ BTW, that "grep established" can just be replaced with the posttls-finger(1) "-Lsummary" option. ] -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
