On Tue, Aug 15, 2017 at 07:20:32PM +0200, Ralph Seichter wrote:
> On 15.08.2017 19:12, Viktor Dukhovni wrote:
>
> > The supported digest names/algorithms are a feature of the underlying
> > OpenSSL library, Postfix just passes the specified name to
> > EVP_get_digestbyname(3).
>
> Fair enough. It might be worth mentioning this in the Postfix docs.
>
> > In the absence of any realistic 2nd-preimage attacks on even MD5,
> > let alone SHA1, it is I believe still safe to use SHA1 as the
> > fingerprint digest.
>
> I agree, and I am not worried about SHA1 at this point. Still, if better
> digests are available simply by configuring a different algorithm name
> via smtpd_tls_fingerprint_digest, I'm all for using one of them.
Please review the documentation patch:
https://github.com/vdukhovni/postfix/commit/7eb43e11987d9e7a9fd6fdb309726c3a19099a98
--
Viktor.
commit 7eb43e11987d9e7a9fd6fdb309726c3a19099a98
Author: Viktor Dukhovni <postfix-us...@dukhovni.org>
Date: Tue Aug 15 17:38:04 2017 +0000
Update fingerprint digest documentation
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index f8595a4e..7d6eeeb8 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -12191,17 +12191,16 @@ certificate (or public/private key-pair) that has the
same fingerprint. </p>
<p> The default algorithm is <b>md5</b>; this is consistent with
the backwards compatible setting of the digest used to verify client
-certificates in the SMTP server. </p>
+certificates in the SMTP server. Any other digest algorithm supported
+by your OpenSSL library (and enabled via OpenSSL_add_ssl_algorithms())
+may be used instead. See the manpage for the OpenSSL "dgst" command for
+the list of implemented algorithms. </p>
-<p> The best practice algorithm is now <b>sha1</b>. Recent advances in hash
-function cryptanalysis have led to md5 being deprecated in favor of sha1.
-However, as long as there are no known "second pre-image" attacks
-against md5, its use in this context can still be considered safe.
-</p>
-
-<p> While additional digest algorithms are often available with OpenSSL's
-libcrypto, only those used by libssl in SSL cipher suites are available to
-Postfix. For now this means just md5 or sha1. </p>
+<p> Advances in hash function cryptanalysis have led to MD5 being
+deprecated in favor of SHA1 and more recently SHA2 (i.e. SHA224, SHA256,
+SHA384 and SHA512). However, as long as there are no known "second
+pre-image" attacks against MD5, its use in this context can still be
+considered safe. </p>
<p> To find the fingerprint of a specific certificate file, with a
specific digest algorithm, run:
@@ -12342,21 +12341,21 @@ configuration parameter. See there for details. </p>
%PARAM smtpd_tls_fingerprint_digest md5
<p> The message digest algorithm to construct remote SMTP
-client-certificate
-fingerprints or public key fingerprints (Postfix 2.9 and later)
-for <b>check_ccert_access</b> and <b>permit_tls_clientcerts</b>. The
-default algorithm is <b>md5</b>, for backwards compatibility with Postfix
-releases prior to 2.5. </p>
-
-<p> Advances in hash
-function cryptanalysis have led to md5 being deprecated in favor of sha1.
-However, as long as there are no known "second pre-image" attacks
-against md5, its use in this context can still be considered safe.
-</p>
-
-<p> While additional digest algorithms are often available with OpenSSL's
-libcrypto, only those used by libssl in SSL cipher suites are available to
-Postfix. </p>
+client-certificate fingerprints or public key fingerprints
+(Postfix 2.9 and later) for <b>check_ccert_access</b> and
+<b>permit_tls_clientcerts</b>. The default algorithm is <b>md5</b>,
+for backwards compatibility with Postfix releases prior to 2.5. </p>
+
+<p> Any other digest algorithm supported by your OpenSSL library (and
+enabled via OpenSSL_add_ssl_algorithms()) may be used instead. See
+the manpage for the OpenSSL "dgst" command for the list of implemented
+algorithms. </p>
+
+<p> Advances in hash function cryptanalysis have led to MD5 being
+deprecated in favor of SHA1 and more recently SHA2 (i.e. SHA224, SHA256,
+SHA384 and SHA512). However, as long as there are no known "second
+pre-image" attacks against MD5, its use in this context can still be
+considered safe. </p>
<p> To find the fingerprint of a specific certificate file, with a
specific digest algorithm, run: </p>
