On Wed, Sep 18, 2024 at 07:58:31PM +0200, Geert Hendrickx via Postfix-users
wrote:
> On Thu, Sep 19, 2024 at 02:02:50 +1000, Viktor Dukhovni via Postfix-users
> wrote:
> > This makes it possible to write "forward-looking" configs that will use
> > newer groups once they're available in the OpenS
On Thu, Sep 19, 2024 at 02:02:50 +1000, Viktor Dukhovni via Postfix-users wrote:
> This makes it possible to write "forward-looking" configs that will use
> newer groups once they're available in the OpenSSL runtime.
Well actually, in this case it achieves the opposite, as the individual
checking
On Wed, Sep 18, 2024 at 05:38:25PM +0200, Geert Hendrickx via Postfix-users
wrote:
> Oh, I see now. If SSL_CTX_set1_curves_list() is defined, nginx runs
> it directly on the whole list (without checking the elements first).
> OBJ_sn2id is only used for older openssl.
The problem is that IIRC wh
On Thu, Sep 19, 2024 at 01:01:42 +1000, Viktor Dukhovni via Postfix-users wrote:
> The OBJ_sn2nid() function is not extensible, and not affected by loading
> of providers. To actually be able to map this algorithm to a "nid", the
> base OpenSSL code would have to know about "x25519_kyber768".
Ok
On Wed, Sep 18, 2024 at 02:02:32PM +0200, Geert Hendrickx wrote:
> > > > warning: ignoring unknown key exchange group "x25519_kyber768"
> >
> > What Postfix process is logging this?
>
> smtpd, as soon as I connect to port 25 (ie., as soon as smtpd is started
> and reads this config). It gets lo
On Wed, Sep 18, 2024 at 14:02:32 +0200, Geert Hendrickx via Postfix-users wrote:
> On Wed, Sep 18, 2024 at 21:29:07 +1000, Viktor Dukhovni via Postfix-users
> wrote:
> > You should initially test with "posttls-finger",
>
> `posttls-finger -L ssl-debug` shows succesful TLS negotiation, but without
On Wed, Sep 18, 2024 at 21:29:07 +1000, Viktor Dukhovni via Postfix-users wrote:
> On Wed, Sep 18, 2024 at 01:04:58PM +0200, Geert Hendrickx wrote:
>
> > Specifically, this provider implements new Key Encapsulation Methods like
> > "x25519_kyber768", which I can use with `openssl s_server -groups`
On Wed, Sep 18, 2024 at 01:04:58PM +0200, Geert Hendrickx wrote:
> Specifically, this provider implements new Key Encapsulation Methods like
> "x25519_kyber768", which I can use with `openssl s_server -groups`, or with
> nginx as `ssl_ecdh_curve`, but not with Postfix in `tls_eecdh_auto_curves`.
>
