Viktor Dukhovni:
> The OpenSSL API does not provide an interface to allow older programs
> to disable new protocol versions defined in later versions of the API.
>
> Therefore, to disable TLS 1.1 or 1.2 one has to add code that uses
> the new constants introduced with OpenSSL 1.0.1.
>
> Proposed patch attached.
That will be a solution for Postfix 2.10.
Meanwhile, for earlier Postfix releases, how much of the problem
can be solved by changing from:
mumble_tls_mandatory_protocols = SSLv3, TLSv1
(i.e. the current default) to:
mumble_tls_mandatory_protocols = !SSLv2
I don't mind that the older Postfix versions would not be able to
turn on/off protocols that didn't exist at the time Postfix was
released.
Wietse
