Re: openssl3+postfix issue (ca md too weak)

To: current-users%netbsd.org@localhost, tech-crypto%netbsd.org@localhost
Subject: Re: openssl3+postfix issue (ca md too weak)
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Tue, 14 Nov 2023 16:53:19 +0100

On Mon, Nov 13, 2023 at 08:34:04PM +0100, Manuel Bouyer wrote:
> Hello
> I'm facing an issue with postfix+openssl3 which may be critical (depending
> on how it can be fixed).
> 
> Now my postfix setup fails to send mails with
> Nov 13 20:20:53 comore postfix/smtp[6449]: warning: TLS library problem: error:0A00018E:SSL routines::ca md too weak:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c:984:
> 
> >From what I understood, this is the remote certificate which is not accepted:
> openssl 3 deprecated some signature algorithm, which are no longer accepted
> with @SECLEVEL=1 (which is the default).

I didn't understand. The message is not about the server certificate but the
client certificate (which, indeed, is quite old and uses a private CA).
Even though no client certificate is requested for this server, is seems
that postfix loads it and errors out if it's too weak. This is quite
confusing ...

The good news is, as it's a private CA I can rebuild it :)

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

References:
- openssl3+postfix issue (ca md too weak)
  - From: Manuel Bouyer

Prev by Date: Re: openssl3+postfix issue (ca md too weak)
Next by Date: Offer to contribute
Previous by Thread: Re: openssl3+postfix issue (ca md too weak)
Next by Thread: Offer to contribute
Indexes:

Home | Main Index | Thread Index | Old Index