On Tue, Oct 14, 2025 at 11:07:48PM +0200, Sebastian Andrzej Siewior via
Postfix-devel wrote:
> > We have a better fix: deprecate explicit curve settings and
> > rely on the OpenSSL defaults.
>
> Do you suggest DEF_TLS_EECDH_AUTO/ tls_eecdh_auto_curves should become
> an empty string by default or did I missunderstood?
The defaults may change in the not too distant future, but for now a
sufficiently motivated user can explicitly change the settings as
suggested in the documentation.
For just the default OpenSSL groups it suffices to set:
$ postconf -nf | grep -E 'dh'
tls_eecdh_auto_curves =
tls_ffdhe_auto_groups =
The tls_config_* settings are only needed in the rare case that you need
to override those defaults.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
