I have more questions.
Wietse Venema:
> Viktor Dukhovni:
> > state->client_start_props->fd = state->ciphertext_fd;
> > /* These predicates and warning belong inside tls_client_start(). */
> > if (!tls_dane_avail() /* mandatory side effects!! */
> > -
On Fri, Aug 21, 2020 at 10:59:11AM -0400, Wietse Venema wrote:
> > Viktor Dukhovni:
> > > - &_DANE_BASED(state->client_start_props->tls_level))
> > > + && TLS_DANE_HASTA(state->client_start_props->dane))
> > > msg_warn("%s: DANE requested, but not available",
> > >
Viktor Dukhovni:
> On Fri, Aug 21, 2020 at 10:59:11AM -0400, Wietse Venema wrote:
>
> > > Viktor Dukhovni:
> > > > - &_DANE_BASED(state->client_start_props->tls_level))
> > > > + && TLS_DANE_HASTA(state->client_start_props->dane))
> > > > msg_warn("%s: DANE requested, but not
> On Aug 21, 2020, at 5:21 PM, thorsten.hab...@findichgut.net wrote:
>
> By the way I already applied your last patch on the testing environment.
> No problems found so far. tafile and CApath based mandatory TLS delivery
> work just fine.
Thanks for the confirmation. Fortunately, the good news
thorsten.hab...@findichgut.net:
> Any chance to backport the patch to 3.4/3.5?
This is more change than is allowed in a stable release. Postfix
3.6 drops support for OpenSSL < 1.1.1, deletes o(thousand) lines
of DANE support from the Postfix TLS library, and replaces it with
o(hundred) lines to
On Fri, Aug 21, 2020 at 03:11:50PM -0400, Wietse Venema wrote:
> Viktor Dukhovni:
> > On Fri, Aug 21, 2020 at 10:59:11AM -0400, Wietse Venema wrote:
> >
> > > > Viktor Dukhovni:
> > > > > - &_DANE_BASED(state->client_start_props->tls_level))
> > > > > + &&
Viktor Dukhovni:
> On Fri, Aug 21, 2020 at 03:11:50PM -0400, Wietse Venema wrote:
>
> > Viktor Dukhovni:
> > > On Fri, Aug 21, 2020 at 10:59:11AM -0400, Wietse Venema wrote:
> > >
> > > > > Viktor Dukhovni:
> > > > > > - &_DANE_BASED(state->client_start_props->tls_level))
> > > > > > + &&
On Fri, Aug 21, 2020 at 05:38:42PM -0400, Wietse Venema wrote:
> thorsten.hab...@findichgut.net:
> > Any chance to backport the patch to 3.4/3.5?
>
> This is more change than is allowed in a stable release. Postfix
> 3.6 drops support for OpenSSL < 1.1.1, deletes o(thousand) lines
> of DANE
On Fri, Aug 21, 2020 at 10:32:10AM +0300, Thorsten Habich wrote:
> > This is relevant, but probably not 100% accurate, likely some domains
> > also intermittently failed routine CAfile-based validation.
>
> Thanks for the patch. There was no higher number of certificate
> verification failures