Viktor Dukhovni: > On Sun, Apr 22, 2012 at 03:12:26PM -0400, Wietse Venema wrote: > > > > Proposed patch attached. > > > > That will be a solution for Postfix 2.10. > > > > Meanwhile, for earlier Postfix releases, how much of the problem > > can be solved by changing from: > > > > mumble_tls_mandatory_protocols = SSLv3, TLSv1 > > > > (i.e. the current default) to: > > > > mumble_tls_mandatory_protocols = !SSLv2 > > The two defaults are equivalent when the protocols known to Postfix > are just SSLv2, SSLv3 and TLSv1 (even if the SSL library implements > additional protocols). Either way, Postfix sets the SSL_OP_NO_SSLv2 > flag. > > This default, would however also disable TLSv1_1 and TLSv1_2 in > with the 2.10 patch that adds knowledge of those protocols to Postfix, > so it made sense to change the default to be "!SSLv2", which is what > it really means.
Why do we need to have (expr & TLS_KNOWN_PROTOCOLS) in the code in the first place? If we get rid of it, then we don't have to rush out patches each time the OpenSSL team comes out with a new incompatible protocol. Wietse > So, sure, we can change the default to the equivalent "!SSLv2" in > earlier releases if that simplifies documentation, or otherwise > aids in clarity of "postconf" output. > > -- > Viktor. >