Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: openssl3+postfix issue (ca md too weak)
On Tue, Nov 14, 2023 at 11:10:16AM +1300, Lloyd Parkes wrote:
>
>
> On 14/11/23 10:56, Joerg Sonnenberger wrote:
> >
> > NIST has been sunsetting SHA1 for a long time, 2016 in fact. In many cases, there is a better trust chain
> > for Comodo intermediary certificates and admins should be installing those.
>
> I'm not sure that's what Comodo has, even though it is the normal way of
> doing things.
>
> I found a Comodo web page that said SHA1 will be fine, so don't worry, and
> if you are worried, you can buy a different certificate. That same web
> page's link to their intermediate certificates is a dead link. Comodo does
> not fill me with confidence.
Unfortunably I don't have the choise for this one.
>
> I'm going to guess that the default @SECLEVEL of openssl needs to be
> adjusted if there is no Postfix specific way to adjust it. Apparently you
> can set the environment variable OPENSSL_CONF to run with a custom openssl
> configuration which can avoid reducing the security level of the rest of
> your system. Searching for "openssl @SECLEVEL" gave me the usual levels of
> StackExchange clarity, so ymmv.
I tried this; but nothing that I've tried in /etc/openssl/openssl.cnf
did seems to have any effect. I wonder if postfix is doing some specific
openssl setup that overrides the openssl.cnf settings.
But also note that I could not reproduce the problem with openssl s_client
--
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
NetBSD: 26 ans d'experience feront toujours la difference
--
Home |
Main Index |
Thread Index |
Old Index