Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: openssl3+postfix issue (ca md too weak)

On 14/11/23 10:56, Joerg Sonnenberger wrote:

NIST has been sunsetting SHA1 for a long time, 2016 in fact. In many cases, there is a better trust chain
for Comodo intermediary certificates and admins should be installing those.

I'm not sure that's what Comodo has, even though it is the normal way of doing things.

I found a Comodo web page that said SHA1 will be fine, so don't worry, and if you are worried, you can buy a different certificate. That same web page's link to their intermediate certificates is a dead link. Comodo does not fill me with confidence.

I'm going to guess that the default @SECLEVEL of openssl needs to be adjusted if there is no Postfix specific way to adjust it. Apparently you can set the environment variable OPENSSL_CONF to run with a custom openssl configuration which can avoid reducing the security level of the rest of your system. Searching for "openssl @SECLEVEL" gave me the usual levels of StackExchange clarity, so ymmv.


Home | Main Index | Thread Index | Old Index