Le 14/04/2013 22:02, Viktor Dukhovni a écrit :
> On Sun, Apr 14, 2013 at 09:21:16PM +0000, Viktor Dukhovni wrote: > Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 This looks fine, > OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: > (sleep 2; printf "%srn" QUIT) | openssl s_client -state -connect > 127.0.0.1:465 2>&1 | tee client.out and report the output of that (I am > assuing Postfix is configured with wrapper mode on port 465 aka "smtps") > based on your reported master.cf: smtps inet n - n - - smtpd -o > smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes It sure looks like Postfix is using a library that does not enable SHA-2 (that is SHA256, SHA384 and SHA512) algorithms when Postfix calls: SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); this not the behaviour I see, so something is wrong with your OpenSSL runtime or header files. Which "openssl/ssl.h" header file does Postfix include and how it define "OpenSSL_add_ssl_algorithms"? I have: #define OpenSSL_add_ssl_algorithms() SSL_library_init() which adds all libcrypto digests. Same : in /usr/include/openssl/ssl.h, I have : #define OpenSSL_add_ssl_algorithms() SSL_library_init() #define SSLeay_add_ssl_algorithms() SSL_library_init() However, in the source of openssl-1.0.1e, I see "crypto/sha" but no "sha-2" anywhere. Is that correct ?
