On Sun, Apr 14, 2013 at 09:21:16PM +0000, Viktor Dukhovni wrote:
> > Protocol : TLSv1.2
> > Cipher : ECDHE-RSA-AES256-GCM-SHA384
>
> This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2
> ciphersuite. Now try:
>
> (sleep 2; printf "%s\r\n" QUIT) |
> openssl s_client -state -connect 127.0.0.1:465 2>&1 |
> tee client.out
>
> and report the output of that (I am assuing Postfix is configured with
> wrapper mode on port 465 aka "smtps") based on your reported master.cf:
>
> smtps inet n - n - - smtpd
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_wrappermode=yes
It sure looks like Postfix is using a library that does not enable
SHA-2 (that is SHA256, SHA384 and SHA512) algorithms when Postfix calls:
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
this not the behaviour I see, so something is wrong with your OpenSSL
runtime or header files. Which "openssl/ssl.h" header file does Postfix
include and how it define "OpenSSL_add_ssl_algorithms"? I have:
#define OpenSSL_add_ssl_algorithms() SSL_library_init()
which adds all libcrypto digests.
--
Viktor.
