Postfix works fine when compiled and linked with OpenSSL 1.0.0.
However, when migrating from OpenSSL 0.9.8 to OpenSSL 1.0.0, there is
a potential (in)compatibility issue with CApath directories.
If you use a "CApath" to store root CA certificates for either the Postfix
SMTP client or the Postfix SMTP server, be aware that the hash value of
the issuer DN is computed differently by OpenSSL 1.0.0, and a CApath
directory hashed with OpenSSL 0.9.8 utilities will not be usable by
software compiled with 1.0.0 libraries.
Conversely, if you use the OpenSSL 1.0.0 c_rehash (your PATH must include
other OpenSSL 1.0.0 command-line tools before the corresponding 0.9.8
versions if also installed), the resulting CApath directory will not
work with OpenSSL 0.9.8.
If you want to be really clever, you may be able to hash two copies
of the root CA directories with the same set of certificates each with
a different version of c_rehash (and corresponding utilities from the
appropriate OpenSSL version) and then combine the set of symbolic links
into a final directory that should work with either library. If you
decide to take this approach, test carefully! No warranty!
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
