On Thu, May 08, 2014 at 10:45:28PM +0200, Markus Petri wrote:
> I'm trying to get client side TLSA/DANE working on a SLES11 SP3 system
> with openssl 0.9.8j and Postfix 2.11.1.
You need at least OpenSSL 1.0.0.
> When the smtp client tries to connect to the destination system, the
> following is logged:
>
> May 8 22:23:11 mail postfix-rz-out/smtp[22203]: warning:
> cannot generate TA certificates, no trust-anchor or DANE support
> May 8 22:23:11 mail postfix-rz-out/smtp[22203]: warning:
> petri-markus.de: dane configured, but no requisite library support
> May 8 22:23:11 mail postfix-rz-out/smtp[22203]:
> Untrusted TLS connection established to
> marge.ceotex.de[2a01:4f8:140:6ffb::24]:25:
> TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
>
> I suspect, that the distributed openssl library is too old, but I may
> be wrong.
You're not wrong, it is too old.
--
Viktor.
