Per Thorsheim:
> Mozilla and others have reported on old web clients that doesn't support
> the use of new SHA-256 signed SSL certificates on websites. In a recent
> thread at Mozilla
> https://bugzilla.mozilla.org/show_bug.cgi?id=1064387#c6, there's a
> reference to Qualys:
>
> "At this time, a site could use two certificates: ECDSA+SHA256 for
> modern clients and RSA+SHA1 for older clients."
> https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
> A feature supported by Apache at least.
>
> Is this something Postfix can do as well for STARTTLS support?
You mean specify both certificates in the same file?
Wietse
> Eventually any other ideas or experiences with using SHA-256
> certificates that have caused problems for STARTTLS, or ex. appliances
> that doesn't support it?
>
> I already know that Cisco Ironport and Barracuda appliances only
> supports up to and including TLSv1, haven't found any info there for
> SHA-256 certificates yet.
>
> BR,
> Per Thorsheim
>
>
