Mark Alan:
> On Tue, 24 Apr 2012 19:42:20 -0400 (EDT), Wietse Venema
> <wie...@porcupine.org> wrote:
>
> > So, TLSv1.2 is giving trouble.
> > ...
> > Works with OpenSSL 1.0.1a with "smtp_tls_protocols = !TLSv1.2":
> > ...
> > So it is a good thing that I put out those updates today.
> > ...
> > Which leaves me wondering how other MTAs deal with this. Given the
> > way OpenSSL works, there is no way for a program to specify what
> > TLS protocols it wants to use. Instead, a program can only specify
> > what TLS protocols it does not want. This means that new code needs
> > to be added whenever a new protocol is added to OpenSSL, otherwise
> > that protocol can't be turned off.
>
> While the postfix updates do not get into into each distribution
> repositories, should we use the following?
>
> postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2'
> postconf -e 'smtp_tls_protocols = !SSLv2, !TLSv1.2'
Please pay attention!
This means that new code needs to be added [TO POSTFIX] whenever
a new protocol is added to OpenSSL, otherwise that protocol
can't be turned off [IN POSTFIX].
I spent most of yesterday rolling out patches for OpenSSL,
now I don't want to spend half a day answering questions.
Wietse
