Le 14/04/2013 22:08, Joan Moreau a écrit :
> Le 14/04/2013 22:02, Viktor Dukhovni a écrit : > > On Sun, Apr 14, 2013 at 09:21:16PM +0000, Viktor Dukhovni wrote: > Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 This looks fine, > OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: > (sleep 2; printf "%srn" QUIT) | openssl s_client -state -connect > 127.0.0.1:465 2>&1 | tee client.out and report the output of that (I am > assuing Postfix is configured with wrapper mode on port 465 aka "smtps") > based on your reported master.cf: smtps inet n - n - - smtpd -o > smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes It sure looks like Postfix is using a library that does not enable SHA-2 (that is SHA256, SHA384 and SHA512) algorithms when Postfix calls: SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); this not the behaviour I see, so something is wrong with your OpenSSL runtime or header files. Which "openssl/ssl.h" header file does Postfix include and how it define "OpenSSL_add_ssl_algorithms"? I have: #define OpenSSL_add_ssl_algorithms() SSL_library_init() which adds all libcrypto digests. Same : in /usr/include/openssl/ssl.h, I have : #define OpenSSL_add_ssl_algorithms() SSL_library_init() #define SSLeay_add_ssl_algorithms() SSL_library_init() However, in the source of openssl-1.0.1e, I see "crypto/sha" but no "sha-2" anywhere. Is that correct ? SHA256 is correctly setup in openssl : openssl x509 -sha256 -noout -fingerprint -in /etc/ssl/certs/gjnet.crt SHA256 Fingerprint=4C:F3:9C:6C:EA:47:04:12:60:60:D5:B5:18:5D:BD:D4:DA:03:03:44:22:2F:01:C6:F7:A3:76:D6:45:15:3F:89 However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ?
