On Wed, Oct 24, 2018 at 12:59:06PM -0400, Viktor Dukhovni wrote:
> > My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013
>
> Support for TLS 1.2 was added in OpenSSL 1.0.2.
Apologies, I double-checked, and support for TLS 1.2 was in fact
added in OpenSSL 1.0.1, so your OpenSSL library should have it.
> Postfix 2.8 supports
> TLS 1.2 just fine, provided the OpenSSL it is linked with does the
> same.
And yet, the above is also true, Postfix 2.8 will use TLS 1.2 if
the underlying OpenSSL library supports it. What was added in
Postfix 2.8.10 was the ability to *disable* TLS 1.2 if needed:
Major changes with Postfix 2.8.10
---------------------------------
This release adds support to turn off the TLSv1.1 and TLSv1.2
protocols. Introduced with OpenSSL version 1.0.1, these are known
to cause inter-operability problems with for example hotmail.
Prior to 2.8.10, Postfix had no means to disable TLS 1.2.
> You need a less ancient operating system whose OpenSSL library
> is at least 1.0.2. Note that OpenSSL 1.0.1 reached end of life
> last year, is no longer supported, and likely has some residual
> security warts.
You should still avoid OpenSSL 1.0.1, it was first released more
than six years ago in March of 2012 and its last update was in Nov
2016. The 1.0.2 release was released in January of 2015 and users
should now be on either of the two 1.0.2 or 1.1.1 OpenSSL LTS
releases.
--
Viktor.
