Ok, I think I've got a partial workaround. If I'm reading the TLS 1.3
spec (and the output of `openssl ciphers -s -tls1_3`) correctly, it has
an effective minimum of 128 bits of security with forward secrecy, not
including the security of the public key(s) or PKIX signatures. So as
long as the
Op 23-09-2021 om 22:26 schreef Viktor Dukhovni:
On Thu, Sep 23, 2021 at 10:02:26PM -0400, David Mandelberg wrote:
With the settings below, postfix 3.5.6 and openssl 1.1.1k successfully
connected to a server with a 2048-bit RSA key, which should be
disallowed by openssl's security level 4.
On Thu, Sep 23, 2021 at 10:02:26PM -0400, David Mandelberg wrote:
> With the settings below, postfix 3.5.6 and openssl 1.1.1k successfully
> connected to a server with a 2048-bit RSA key, which should be
> disallowed by openssl's security level 4.
Postfix explicitly overrides the security
Hi,
With the settings below, postfix 3.5.6 and openssl 1.1.1k successfully
connected to a server with a 2048-bit RSA key, which should be
disallowed by openssl's security level 4.
tls_high_cipherlist = DEFAULT:!eNULL:!aNULL:@SECLEVEL=4:@STRENGTH
smtp_tls_mandatory_ciphers = high
When I use