Prev: redirect local(8) delivery to $local@$mydomain ?
Next: Relayhost dependend on destination MX
From: Gregory BELLIER on 24 Mar 2010 06:09
Hi.

if I copy an existing cipher in OpenSSL and rename it, it will act as if
it is a new cipher.

Would I need to build postfix against this new OpenSSL to be able to use
the new cipher? I think it's not required but I have a doubt.
How does the TLS negociation work ? I guess it is done by Postfix which
asks OpenSSL what ciphers are supported and depending of the
negociation, Postfix stores the cipher's OID selected.
Therefore Postfix wouldn't care of the existing ciphers and would just
select the strongest one among the ciphers presented by OpenSSL.

All this for my first question, would it be required to rebuild postfix
if a new cipher makes its way in OpenSSL to be able to use it?

Thanks,
Gregory.

From: mouss on 24 Mar 2010 18:19
Gregory BELLIER a �crit :
> Hi.
>
> if I copy an existing cipher in OpenSSL and rename it, it will act as if
> it is a new cipher.
>
> Would I need to build postfix against this new OpenSSL to be able to use
> the new cipher? I think it's not required but I have a doubt.
> How does the TLS negociation work ? I guess it is done by Postfix which
> asks OpenSSL what ciphers are supported and depending of the
> negociation, Postfix stores the cipher's OID selected.
> Therefore Postfix wouldn't care of the existing ciphers and would just
> select the strongest one among the ciphers presented by OpenSSL.
>
> All this for my first question, would it be required to rebuild postfix
> if a new cipher makes its way in OpenSSL to be able to use it?
>

$ ldd /usr/local/libexec/postfix/smtpd
/usr/local/libexec/postfix/smtpd:
....
libssl.so.7 => /usr/local/lib/libssl.so.7 (0x2810a000)
libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x28150000)
....

if you rebuild openssl but provide the same ABI, then it's ok. If you
you can't, then you'll need to rebuild.

This is not a postfix related issue.

From: Victor Duchovni on 24 Mar 2010 20:11
On Wed, Mar 24, 2010 at 11:09:44AM +0100, Gregory BELLIER wrote:

> if I copy an existing cipher in OpenSSL and rename it, it will act as if it
> is a new cipher.

On the wire SSL ciphers have numeric ids, not names. If you "rename"
a cipher, it just changes how it is displayed in logs. Renaming ciphers
is fairly pointless and counter-productive. Why would you do this?

> Would I need to build postfix against this new OpenSSL to be able to use
> the new cipher?

What new cipher? I thought you were just "renaming" an existing cipher.

And who else would implement your "new" cipher to inter-operate with
your Postfix?

And, if you don't already know the answer to your question and more (i.e.
you are not an expert in cryptography and OpenSSL internals), what you
doing changing OpenSSL?


> How does the TLS negociation work ? I guess it is done by Postfix which
> asks OpenSSL what ciphers are supported and depending of the negociation,
> Postfix stores the cipher's OID selected.

At this point, you really need to step back, take a deep breath, and
use OpenSSL as-is.

> All this for my first question, would it be required to rebuild postfix if
> a new cipher makes its way in OpenSSL to be able to use it?

No, Postfix uses all reasonably strong OpenSSL ciphers as soon as they
are introduced, preferring the strongest, as labeled by the OpenSSL
developers.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: Gregory BELLIER on 25 Mar 2010 05:31


Victor Duchovni a �crit :
> On Wed, Mar 24, 2010 at 11:09:44AM +0100, Gregory BELLIER wrote:
>
>
>> if I copy an existing cipher in OpenSSL and rename it, it will act as if it
>> is a new cipher.
>>
>
> On the wire SSL ciphers have numeric ids, not names. If you "rename"
> a cipher, it just changes how it is displayed in logs. Renaming ciphers
> is fairly pointless and counter-productive. Why would you do this?
>
Yes, renaming and changing the OID. Yes, it's useless but I want to
learn. Therefore, I do useless stuff.
>
>> Would I need to build postfix against this new OpenSSL to be able to use
>> the new cipher?
>>
>
> What new cipher? I thought you were just "renaming" an existing cipher.
>
Inserting a "new" one. It's just a copy with a new name and a new OID.
> And who else would implement your "new" cipher to inter-operate with
> your Postfix?
>
No one.
>
>> How does the TLS negociation work ? I guess it is done by Postfix which
>> asks OpenSSL what ciphers are supported and depending of the negociation,
>> Postfix stores the cipher's OID selected.
>>
>
> At this point, you really need to step back, take a deep breath, and
> use OpenSSL as-is.
>
As I said, it's to learn. If I do nothing then it's pointless.

What I ask is not your point on if it's relevant to do it or not because
we all know it's not.

From: Gregory BELLIER on 25 Mar 2010 05:32


mouss a �crit :
> $ ldd /usr/local/libexec/postfix/smtpd
> /usr/local/libexec/postfix/smtpd:
> ...
> libssl.so.7 => /usr/local/lib/libssl.so.7 (0x2810a000)
> libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x28150000)
> ...
>
> if you rebuild openssl but provide the same ABI, then it's ok. If you
> you can't, then you'll need to rebuild.
>
> This is not a postfix related issue.
>
Alright, thanks.

 |  Next  |  Last
Pages: 1 2
Prev: redirect local(8) delivery to $local@$mydomain ?
Next: Relayhost dependend on destination MX