On 03/12/2016 10:50 AM, Viktor Dukhovni wrote:
On Sat, Mar 12, 2016 at 10:31:44AM -0800, Alice Wonder wrote:
I stick with 2.11.x and probably will as long as it is maintained, and I
build against LibreSSL which is controversial to some, and a devel branch of
LibreSSL - but it works for me...
Note, I don't test against LibreSSL, and compatibility is not
promised.
OpenSSL 1.1.0 will include native DANE support which may be enabled
in future versions of Postfix in preference to the original Postfix
version.
LibreSSL got a head start on cleaning up the OpenSSL code, which
is easier to do when you have no legacy install-base to worry about,
this is now changing.
I understand that your choice works for you, that's fine. Just
saying that for most Postfix users I'd recommend sticking with
OpenSSL and upgrading each of Postfix and OpenSSL as opportunities
arise.
I understand that. Upgrading the version on OpenSSL on RHEL/CentOS
systems is not recommended. You could install a newer version in
/usr/local or /opt but then you have to make sure all your executables
use the right one.
Red Hat also removes most of the ECC curves from their build of OpenSSL.
Using LibreSSL for me anyway solves all those issues. I can leave the
system OpenSSL alone and just build server packages against LibreSSL.
