On Wed, Oct 23, 2013 at 09:39:36AM +0200, Tobias Reckhard wrote:
> > with instructions on how to extract public key digests from X.509
> > certs also at:
> >
> > http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest
>
> Those instructions had me confused a bit, I think I now see why. I'd
> used the concatenation of "openssl x509 ... | openssl rsa ... | openssl
> dgst ..." to compute the fingerprint at first, which resulted in a
> mismatch when connecting to the server in question.
If your Postfix version is 2.9.0--2.9.5 DO NOT USE public key
fingerprints, or upgrade to 2.9.6 or later. Support for public
key fingerprints was added in Postfix 2.9, but was using the wrong
public key digest function until 2.9.6.
> Since then I've noticed that the
> documentation does state that the computation of the fingerprint changed
> with Postfix 2.9, I'd missed that bit previously. I probably had read
> the sentence about certificate fingerprint verification being available
> since Postfix 2.5, and public-key fingerprints being supported since
> Postfix 2.9, but obviously I hadn't taken them to be mutually exclusive.
They are not mutually exclusive. With 2.9.6 you can use either
correctly computed certificate fingerprints or correctly computed
public key fingerprints. With anything earlier you get only
correctly computed certificate fingerprints, and with 2.9.0--2.9.5
broken support for public key fingerprints.
> BTW, are there any plans for the Postfix TLS code to support CRL and/or
> OCSP checks?
Not at this time.
--
Viktor.
