[pfx] Re: TLS Library Problem? (SSL_accept error from ...)

Fri, 05 May 2023 18:31:00 -0700 

On Fri, May 05, 2023 at 08:28:48PM -0400, Viktor Dukhovni via Postfix-users 
wrote:

> You should of course also share 
> (https://www.postfix.org/DEBUG_README.html#mail)
> 
>     $ postconf -nf
>     $ postconf -Mf
> 
> without any changes in whitespace, including line breaks.  Attaching
> these as text files may be simplest if your mail client won't coƶperate.

And, if applicable, post the content of:

    /usr/share/crypto-policies/DEFAULT/opensslcnf.txt

Which on a sample Fedora36 system holds:

    CipherString = 
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
    Ciphersuites = 
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
    TLS.MinProtocol = TLSv1.2
    TLS.MaxProtocol = TLSv1.3
    DTLS.MinProtocol = DTLSv1.2
    DTLS.MaxProtocol = DTLSv1.2
    SignatureAlgorithms = 
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224

    [openssl_init]
    alg_section = evp_properties

    [evp_properties]
    rh-allow-sha1-signatures = yes

Postfix (at least in a default configuration) is not affected by:

    CipherString
    TLS.MinProtocol
    TLS.MaxProtocol
    DTLS.MinProtocol
    DTLS.MaxProtocol

But currently has no controls to override:

    # TLS 1.3 ciphersuites (not a priority to fine-tune)
    Ciphersuites = ...

    # TLS 1.2 signature algorithm negotiation (the RH list is fine)
    SignatureAlgorithms = ...

    # If this is set to "no", TLS 1.0 key exchange is likely to break.
    # In some cases certificate verification may break.
    rh-allow-sha1-signatures = yes

I don't even know whether RedHat exposes any mechanisms for applications
to opt-out of crypto policy and use only application-driven OpenSSL
configuration.  This is should perhaps be looked into in the Postfix 3.9
timeframe.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to