On Mon, Jul 28, 2014 at 10:44:04AM +0200, Patrick Ben Koetter wrote:
> Greetings,
>
> I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:
>
> warning: sys4.de: dane configured, but no requisite library support
>
> <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html>
> suggests, the underlying openssl library is too old. Viktor writes at least
> openssl 1.0.0 would be required.
>
> The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.
> Could it be the openssl package has been built without DANe support? What can
> I do to track this down?
Beyond OpenSSL 1.0.0, you also need the resolver headers to define:
RES_USE_DNSSEC
RES_USE_EDNS0
and for OpenSSL to *not* define OPENSSL_NO_ECDH. On RedHat systems,
it is this last constraint that is the likely problem. RedHat
systems have historically disabled EC algorithms based on FUD around
Certicom's patents (the most important of which, point compression,
expires tomorrow I hear).
Anyway, RedHat did add limited ECDH support (sufficient for for
Postfix DANE) some months back, make sure your system has the
updated OpenSSL build.
https://bugzilla.redhat.com/show_bug.cgi?id=319901
You can check that the OpenSSL headers define:
$ grep NID_X9_62_prime256v1 /usr/include/openssl/obj_mac.h
#define NID_X9_62_prime256v1 415
which is expected to be the case with the updated RedHat OpenSSL
library.
--
Viktor.
