On Mon, Dec 23, 2013 at 03:09:09PM +0000, Viktor Dukhovni wrote:
> > using SHA512 algorithms
>
> TLSv1 and TLSv1.2 does not support negotiation of digest algorithms.
I meant "TLSv1 and TLSv1.1", but typed TLSv1.2.
Speaking of TLSv1.2, does anyone have more information about:
https://rt.openssl.org/Ticket/Display.html?id=3128&user=guest&pass=guest
and the related OpenSSL post-1.0.1e fix:
commit ca989269a2876bae79393bd54c3e72d49975fc75
Author: Dr. Stephen Henson <[email protected]>
Date: Thu Dec 19 14:37:39 2013 +0000
Use version in SSL_METHOD not SSL structure.
When deciding whether to use TLS 1.2 PRF and record hash algorithms
use the version number in the corresponding SSL_METHOD structure
instead of the SSL structure. The SSL structure version is sometimes
inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449)
The issue seems to be triggered by Squid trying to use SSL_read()
to flush socket input after an SSL error. If that's the only way
to run into this problem, it should not be an issue for Postfix.
Postfix does not perform any further I/O on SSL connections after
an SSL or I/O error.
--
Viktor.
