gmx:
> In-Reply-To-Message-ID: 20091109012901.6d90f1f3...@spike.porcupine.org
>
> Hi Wietse and Victor,
>
> Thank you very much for your analyses
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 .
>
> As a practitioner, the following question arises as we are in a business
> partner context as you describe in
> http://www.porcupine.org/postfix-mirror/smtp-renegotiate.pdf p. 6:
>
> 1) will
> a) smtpd_tls_ask_ccert,
> b) smtpd_tls_wrappermode,
> c) smtpd_use_tls,
> d) smtpd_enforce_tls
> still work with the new openssl 0.9.8l
> http://marc.info/?l=openssl-users&m=125751806022186&w=2 ?
> 2) should I upgrade the openssl on the MTA to that version?
They will break if some REMOTE system wants to renegotiate TLS, using
a protocol that is not supported by the LOCAL TLS implementation.
Note that it says: "remote system wants to renegotiate". Postfix
does not request renegotiation, as far as I know.
> 3) on p. 11, you say <<Wietse and Victor concocted detection mechanisms and
> workarounds. Some may even end up in Postfix.>> - will they still be needed
> with the new openssl that disables renegotiation altogether?
These CLIENT-SIDE workarounds detect some attacks when you are
talking to servers with vulnerable SSL implementations.
Wietse
