On Tue, Nov 14, 2023 at 11:10:16AM +1300, Lloyd Parkes wrote: > > > On 14/11/23 10:56, Joerg Sonnenberger wrote: > > > > NIST has been sunsetting SHA1 for a long time, 2016 in fact. In many cases, > > there is a better trust chain > > for Comodo intermediary certificates and admins should be installing those. > > I'm not sure that's what Comodo has, even though it is the normal way of > doing things. > > I found a Comodo web page that said SHA1 will be fine, so don't worry, and > if you are worried, you can buy a different certificate. That same web > page's link to their intermediate certificates is a dead link. Comodo does > not fill me with confidence.
Unfortunably I don't have the choise for this one. > > I'm going to guess that the default @SECLEVEL of openssl needs to be > adjusted if there is no Postfix specific way to adjust it. Apparently you > can set the environment variable OPENSSL_CONF to run with a custom openssl > configuration which can avoid reducing the security level of the rest of > your system. Searching for "openssl @SECLEVEL" gave me the usual levels of > StackExchange clarity, so ymmv. I tried this; but nothing that I've tried in /etc/openssl/openssl.cnf did seems to have any effect. I wonder if postfix is doing some specific openssl setup that overrides the openssl.cnf settings. But also note that I could not reproduce the problem with openssl s_client -- Manuel Bouyer <[email protected]> NetBSD: 26 ans d'experience feront toujours la difference --
