tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: openssl3+postfix issue (ca md too weak)

On Mon, Nov 13, 2023 at 08:34:04PM +0100, Manuel Bouyer wrote:
> Hello
> I'm facing an issue with postfix+openssl3 which may be critical (depending
> on how it can be fixed).
> Now my postfix setup fails to send mails with
> Nov 13 20:20:53 comore postfix/smtp[6449]: warning: TLS library problem: error:0A00018E:SSL routines::ca md too weak:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c:984:
> >From what I understood, this is the remote certificate which is not accepted:
> openssl 3 deprecated some signature algorithm, which are no longer accepted
> with @SECLEVEL=1 (which is the default).

I didn't understand. The message is not about the server certificate but the
client certificate (which, indeed, is quite old and uses a private CA).
Even though no client certificate is requested for this server, is seems
that postfix loads it and errors out if it's too weak. This is quite
confusing ...

The good news is, as it's a private CA I can rebuild it :)

Manuel Bouyer <>
     NetBSD: 26 ans d'experience feront toujours la difference

Home | Main Index | Thread Index | Old Index