gmx: > In-Reply-To-Message-ID: 20091109012901.6d90f1f3...@spike.porcupine.org > > Hi Wietse and Victor, > > Thank you very much for your analyses > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 . > > As a practitioner, the following question arises as we are in a business > partner context as you describe in > http://www.porcupine.org/postfix-mirror/smtp-renegotiate.pdf p. 6: > > 1) will > a) smtpd_tls_ask_ccert, > b) smtpd_tls_wrappermode, > c) smtpd_use_tls, > d) smtpd_enforce_tls > still work with the new openssl 0.9.8l > http://marc.info/?l=openssl-users&m=125751806022186&w=2 ? > 2) should I upgrade the openssl on the MTA to that version?
They will break if some REMOTE system wants to renegotiate TLS, using a protocol that is not supported by the LOCAL TLS implementation. Note that it says: "remote system wants to renegotiate". Postfix does not request renegotiation, as far as I know. > 3) on p. 11, you say <<Wietse and Victor concocted detection mechanisms and > workarounds. Some may even end up in Postfix.>> - will they still be needed > with the new openssl that disables renegotiation altogether? These CLIENT-SIDE workarounds detect some attacks when you are talking to servers with vulnerable SSL implementations. Wietse