Mozilla and others have reported on old web clients that doesn't support the use of new SHA-256 signed SSL certificates on websites. In a recent thread at Mozilla https://bugzilla.mozilla.org/show_bug.cgi?id=1064387#c6, there's a reference to Qualys:
"At this time, a site could use two certificates: ECDSA+SHA256 for modern clients and RSA+SHA1 for older clients." https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know A feature supported by Apache at least. Is this something Postfix can do as well for STARTTLS support? Eventually any other ideas or experiences with using SHA-256 certificates that have caused problems for STARTTLS, or ex. appliances that doesn't support it? I already know that Cisco Ironport and Barracuda appliances only supports up to and including TLSv1, haven't found any info there for SHA-256 certificates yet. BR, Per Thorsheim
