On Tue, Aug 15, 2017 at 06:57:26PM +0200, Ralph Seichter wrote:
> On 15.08.2017 18:27, Viktor Dukhovni wrote:
>
> > Don't forget to add:
> > -o smtpd_tls_ask_ccert=yes
> > -o smtpd_tls_fingerprint_digest=sha256
>
> Quite so, I had trimmed down my example configuration snippet too much.
>
> Interestingly,
> http://www.postfix.org/postconf.5.html#smtpd_tls_fingerprint_digest
> does not appear to mention SHA256 as a possible option?
The supported digest names/algorithms are a feature of the underlying
OpenSSL library, Postfix just passes the specified name to
EVP_get_digestbyname(3).
The Postfix documentation has not kept up with OpenSSL evolution.
> I'm still using SHA1, because I thought this was, as of 2017-08, the best
> algorithm available for smtpd_tls_fingerprint_digest.
In the absence of any realistic 2nd-preimage attacks on even MD5,
let alone SHA1, it is I believe still safe to use SHA1 as the
fingerprint digest. However, use of SHA256 can reduce concerns
about surprising future developments.
--
Viktor.
