On Wed, Mar 24, 2010 at 11:09:44AM +0100, Gregory BELLIER wrote:
> if I copy an existing cipher in OpenSSL and rename it, it will act as if it
> is a new cipher.
On the wire SSL ciphers have numeric ids, not names. If you "rename"
a cipher, it just changes how it is displayed in logs. Renaming ciphers
is fairly pointless and counter-productive. Why would you do this?
> Would I need to build postfix against this new OpenSSL to be able to use
> the new cipher?
What new cipher? I thought you were just "renaming" an existing cipher.
And who else would implement your "new" cipher to inter-operate with
your Postfix?
And, if you don't already know the answer to your question and more (i.e.
you are not an expert in cryptography and OpenSSL internals), what you
doing changing OpenSSL?
> How does the TLS negociation work ? I guess it is done by Postfix which
> asks OpenSSL what ciphers are supported and depending of the negociation,
> Postfix stores the cipher's OID selected.
At this point, you really need to step back, take a deep breath, and
use OpenSSL as-is.
> All this for my first question, would it be required to rebuild postfix if
> a new cipher makes its way in OpenSSL to be able to use it?
No, Postfix uses all reasonably strong OpenSSL ciphers as soon as they
are introduced, preferring the strongest, as labeled by the OpenSSL
developers.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
