postfix-users@postfix.org wrote in <zfl9t9x_et9dq...@straasha.imrryr.org>: |On Mon, May 08, 2023 at 06:13:25PM -0400, Wietse Venema via Postfix-users \ |wrote: |> We're thinking of adding a few new settings to the stable Postfix |> releases that allow Postfix to regain some control over crypto |> policies that do not necessarily improve matters for SMTP where |> the main result would be more plaintext communication. | |> With stable releases, it would not be approprriate to introduce a |> boatload of features, but plausible candidates are: |> |> tls_config_file = default | none(*) | /path/to/file |> (*)only OpenSSL 1.1.b and later | |Minor correction, the base OpenSSL release that supports configuration |file overrides is "1.1.1b", rather than "1.1.b". | |- The minimum OpenSSL version supported by Postfix 3.6 and later is 1.1.1. |- The OpenSSL version in which RedHat started introducing strict crypto | policies is OpenSSL 3.0. | |This means that: | | - If you're still using OpenSSL 1.0.2 (with Postfix <= 3.5) you | probably don't need to override the system-wide openssl.cnf file. | Though it may be possible to use: | | import_environment = | ... default value from "postconf -d"... | OPENSSL_CONF=/some/file | | An empty file would be equivalent to "none". | | - If you're using OpenSSL 1.1.1 or 1.1.1a, you also probably don't | need to override the system-wide openssl.cnf file. Same | work-around as before, or set the application name, and add | appropriate application settings in the system-wide file. | | - If you're using OpenSSL 1.1.1b or later, and in particular 3.0 | or, especially on a RedHat or Fedora system, you may choose to | override the system-wide configuration file or the application | name. Then, overly strict cryptographic policy will not result | in unnecessary downgrades to cleartext in opportunistic TLS. | |We'll probably later have to extend support for tweaking additional |TLS-related settings through the "SSL_CONF" API, though that will have |the downside that non-expert users may end up cargo culting settings |that do more harm than good. I'll try to discourage this as much
Lame argument, isn't it. Just more settings, but in a generic way that could be interchangeable in between servers if only all would simply and only use that one. (I immediately jumped that train and also support specific [module] sections, how complicated and under-documented that in effect is. I liked the idea that you can have it all in one OpenSSL configuration file, with a default section and per-program sections.) But CONF_ is not the same across implementations, and programs continue to "bake their own bread rolls". (lighttpd now uses it.) Having said that, terrible how OpenSSL switched that (loading of a config file) on and off by default, and how they added config via OPENSSL_INIT_SETTINGS object. Better set OPENSSL_INIT_NO_LOAD_CONFIG and continue using CONF_modules_load_file() explicitly (and exclusively) i thought. Thanks. Well it was a non-outstanding entry in a multi-thousand line change log in between 1.1.1 and 3.0.0, so i seem to have missed that. Thanks again. |as possible, but the target audience will be those who know what |they are doing, or are following sound advice. | |One goal may be to make some of the crypto hardening conditional on the |TLS security level, which means different settings for different levels. | |Hopefully more on this as 3.9 snapshots evolve. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) |~~ |..and in spring, hear David Leonard sing.. | |The black bear, The black bear, |blithely holds his own holds himself at leisure |beating it, up and down tossing over his ups and downs with pleasure |~~ |Farewell, dear collar bear _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
