Re: Problem using TLS: lost connection after STARTTLS

Sat, 15 Jun 2013 10:16:00 -0700 

On Sat, Jun 15, 2013 at 12:07:26PM +0200, Jan P. Kessler wrote:

> # openssl
> ./Configure \
>     --prefix=${BASE}/openssl \
>     --openssldir=${BASE}/openssl \
>     solaris-sparcv9-cc
> make; make install
> 
> # postfix
> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
> -L/usr/local/lib"
> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
> -I/usr/local/include"
> 
> make tidy; make makefiles \
>     CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
>     AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
> make; make upgrade

If you're interested, I now have another option for you, a Postfix
patch that will likely enable support for SHA-2 digests even when
Postfix is compiled and linked with OpenSSL 0.9.8.

Keep in mind that that latest OpenSSL 0.9.8 patch level is now
0.9.8y, and I seem to recall that you had 0.9.8k which likely
various unpatched bugs.  So you should probably upgrade the system's
OpenSSL 0.9.8 libraries to 0.9.8y.

The patch is for DANE support with OpenSSL 1.0.0 (first release
before 1.0.0a) and some systems with older 1.1.0-dev snapshots,
but should also address your problem.

--- src/tls/tls_misc.c
+++ src/tls/tls_misc.c
@@ -1129,6 +1129,24 @@ int     tls_validate_digest(const char *dgst)
     unsigned int md_len;
 
     /*
+     * Register SHA-2 digests, if implemented and not already registered.
+     * Improves interoperability with clients and servers that prematurely
+     * deploy SHA-2 certificates.  Also facilitates DANE and TA support.
+     */
+#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
+    if (!EVP_get_digestbyname(LN_sha224))
+       EVP_add_digest(EVP_sha224());
+    if (!EVP_get_digestbyname(LN_sha256))
+       EVP_add_digest(EVP_sha256());
+#endif
+#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
+    if (!EVP_get_digestbyname(LN_sha384))
+       EVP_add_digest(EVP_sha384());
+    if (!EVP_get_digestbyname(LN_sha512))
+       EVP_add_digest(EVP_sha512());
+#endif
+
+    /*
      * If the administrator specifies an unsupported digest algorithm, fail
      * now, rather than in the middle of a TLS handshake.
      */

-- 
        Viktor.

Reply via email to