[ The devel list majordomo is not doing too well just now, so please pardon my use of postfix-users instead. ]
In TLS 1.3 the key exchange parameters, whether elliptic curve (ECDHE or ECX, where ECX is one of X25519 or X448) or finite-field (FFDHE), are always from a negotiated list of well-known groups (no ad-hoc key exchange parameters). --- OpenSSL 1.1.1 In OpenSSL 1.1.1 the TLS 1.3 implementation supports only EC key exchange (ECDHE and ECX), the finite-field (FFDHE) groups are available only for TLS 1.0–1.2. The APIs for configuring FFDHE parameters and ECDHE curves are separate and setting the supported EC curve list does not affect the choice of or the availability of FFDHE groups (server-side only). When TLS 1.2 is negotiated and "auto" FFDHE group selection is not preëmpted by configuring an explicit set of DH parameters (in Postfix that would be via smtpd_tls_dh1024_param_file), the server selects one of the "standard" (https://www.rfc-editor.org/rfc/rfc7919#appendix-A) FFDHE groups based on the configured security level, the strength of the certificate private key, or else the symmetric cipher. --- OpenSSL 3.0 OpenSSL 3.0 adds support for FFDHE in TLS 1.3. An SSL_CTX or SSL handle now has a single "groups" element that stores the combined list of supported EC and FFDHE code points. The legacy API for setting the EC curve list is now an alias for setting this combined list. This means that applications not tweaked for OpenSSL 3.0 that explicitly set the EC curve list to just some list of EC curves end up disabling the newly supported FFDHE groups in TLS 1.3. Whether this is a feature or a bug, it is certainly not expected. --- Postfix The default list of EC groups compiled into Postfix 3.7 and later is: tls_eecdh_auto_curves = X25519 X448 prime256v1 secp521r1 secp384r1 this makes no mention of FFDHE groups, so they remain disabled in TLS 1.3 even with OpenSSL 3.0 where they are by default supported. If we wish to interoperate with hypothetical SMTP servers or clients that only support FFDHE (perhaps some emergency makes it necessary to disable the EC groups), we need to ask OpenSSL to instead enable something along the lines of: X25519 X448 prime256v1 secp521r1 secp384r1 ffdhe2048 ffdhe3072 [ I'm disinclined to by default enable FFDHE at 4096 bits and up, these are CPU hogs with no clear security benefit. ] But doing this in a backwards-compatible way, that still works for any users who were brave enough to set "tls_eecdh_auto_curves" expecting to just limit the EC groups, means that we'll need two parameters with the below defaults: tls_eecdh_auto_curves = X25519 X448 prime256v1 secp521r1 secp384r1 tls_ffdhe_auto_groups = ffdhe2048 ffdhe3072 When Postfix is linked with OpenSSL 3.0, the two lists will be merged together. Any comments or questions? -- Viktor.
