tech-crypto archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: openssl3+postfix issue (ca md too weak)
Manuel Bouyer wrote in
<ZVJ6LIrEPxlCEbNB%antioche.eu.org@localhost>:
|Hello
|I'm facing an issue with postfix+openssl3 which may be critical (depending
|on how it can be fixed).
|
|Now my postfix setup fails to send mails with
|Nov 13 20:20:53 comore postfix/smtp[6449]: warning: TLS library problem: \
|error:0A00018E:SSL routines::ca md too weak:/usr/src/crypto/external/bsd\
|/openssl/dist/ssl/statem/statem_lib.c:984:
|
|>From what I understood, this is the remote certificate which is not \
|>accepted:
|openssl 3 deprecated some signature algorithm, which are no longer accepted
|with @SECLEVEL=1 (which is the default).
|In server's certificate chain all but the last one are signed with
|sha384WithRSAEncryption (which should be OK). The last one (the root
|certificate) is signed with RSA-SHA1 and I don't think this will change
|soon:
| 3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, \
| CN = A
| AA Certificate Services
| i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, \
| CN = A
| AA Certificate Services
| a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
| v:NotBefore: Jan 1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 \
| 2028 GMT
|
|So, as far as I understand, we end up with a postfix installation which
|can't talk to servers with valid certificates.
|
|The solution (from google) would be to force @SECLEVEL=0 but I didn't find
|a way to do this for postfix. The solutions I've seen were for openvpn or
|curl, but nothing about postfix :(
Isn't that just postfix config. Btw *i* have no problem with
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
#SMART The next is usually nice but when using client certificates
smtpd_tls_received_header = no
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
# super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = TLSv1
^ This works in practice without any noticeable trouble.
(But then i again i do not have to make money from that or my
customers who must talk to ten year old refrigerators.)
# ..otherwise that
#smtpd_tls_mandatory_ciphers = high
#smtpd_tls_mandatory_exclude_ciphers =
# aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
# EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
Ie. This can only be a postfix config issue, no.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Home |
Main Index |
Thread Index |
Old Index