Re: openssl3+postfix issue (ca md too weak)

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Tue, Nov 14, 2023 at 11:10:16AM +1300, Lloyd Parkes wrote:
> 
> 
> On 14/11/23 10:56, Joerg Sonnenberger wrote:
> > 
> > NIST has been sunsetting SHA1 for a long time, 2016 in fact. In many cases, there is a better trust chain
> > for Comodo intermediary certificates and admins should be installing those.
> 
> I'm not sure that's what Comodo has, even though it is the normal way of
> doing things.
> 
> I found a Comodo web page that said SHA1 will be fine, so don't worry, and
> if you are worried, you can buy a different certificate. That same web
> page's link to their intermediate certificates is a dead link. Comodo does
> not fill me with confidence.

Unfortunably I don't have the choise for this one.

> 
> I'm going to guess that the default @SECLEVEL of openssl needs to be
> adjusted if there is no Postfix specific way to adjust it. Apparently you
> can set the environment variable OPENSSL_CONF to run with a custom openssl
> configuration which can avoid reducing the security level of the rest of
> your system. Searching for "openssl @SECLEVEL" gave me the usual levels of
> StackExchange clarity, so ymmv.

I tried this; but nothing that I've tried in /etc/openssl/openssl.cnf
did seems to have any effect. I wonder if postfix is doing some specific
openssl setup that overrides the openssl.cnf settings.

But also note that I could not reproduce the problem with openssl s_client

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--