Viktor Dukhovni:
> On Sun, Apr 22, 2012 at 03:12:26PM -0400, Wietse Venema wrote:
>
> > > Proposed patch attached.
> >
> > That will be a solution for Postfix 2.10.
> >
> > Meanwhile, for earlier Postfix releases, how much of the problem
> > can be solved by changing from:
> >
> > mumble_tls_mandatory_protocols = SSLv3, TLSv1
> >
> > (i.e. the current default) to:
> >
> > mumble_tls_mandatory_protocols = !SSLv2
>
> The two defaults are equivalent when the protocols known to Postfix
> are just SSLv2, SSLv3 and TLSv1 (even if the SSL library implements
> additional protocols). Either way, Postfix sets the SSL_OP_NO_SSLv2
> flag.
>
> This default, would however also disable TLSv1_1 and TLSv1_2 in
> with the 2.10 patch that adds knowledge of those protocols to Postfix,
> so it made sense to change the default to be "!SSLv2", which is what
> it really means.
Why do we need to have (expr & TLS_KNOWN_PROTOCOLS) in the code
in the first place? If we get rid of it, then we don't have to
rush out patches each time the OpenSSL team comes out with a
new incompatible protocol.
Wietse
> So, sure, we can change the default to the equivalent "!SSLv2" in
> earlier releases if that simplifies documentation, or otherwise
> aids in clarity of "postconf" output.
>
> --
> Viktor.
>
