Module Name: src
Committed By: tron
Date: Wed Aug 21 20:12:31 UTC 2013
Modified Files:
src/external/ibm-public/postfix/dist/README_FILES: TLS_README
src/external/ibm-public/postfix/dist/html: TLS_README.html
postconf.5.html
src/external/ibm-public/postfix/dist/man/man5: postconf.5
src/external/ibm-public/postfix/dist/proto: TLS_README.html
postconf.proto
src/external/ibm-public/postfix/dist/src/global: mail_params.h
src/external/ibm-public/postfix/dist/src/tls: tls_client.c
Log Message:
esolve conflicts from last import.
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 \
src/external/ibm-public/postfix/dist/README_FILES/TLS_README
cvs rdiff -u -r1.7 -r1.8 \
src/external/ibm-public/postfix/dist/html/TLS_README.html
cvs rdiff -u -r1.10 -r1.11 \
src/external/ibm-public/postfix/dist/html/postconf.5.html
cvs rdiff -u -r1.10 -r1.11 \
src/external/ibm-public/postfix/dist/man/man5/postconf.5
cvs rdiff -u -r1.6 -r1.7 \
src/external/ibm-public/postfix/dist/proto/TLS_README.html
cvs rdiff -u -r1.10 -r1.11 \
src/external/ibm-public/postfix/dist/proto/postconf.proto
cvs rdiff -u -r1.9 -r1.10 \
src/external/ibm-public/postfix/dist/src/global/mail_params.h
cvs rdiff -u -r1.6 -r1.7 \
src/external/ibm-public/postfix/dist/src/tls/tls_client.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/ibm-public/postfix/dist/README_FILES/TLS_README
diff -u src/external/ibm-public/postfix/dist/README_FILES/TLS_README:1.6 src/external/ibm-public/postfix/dist/README_FILES/TLS_README:1.7
--- src/external/ibm-public/postfix/dist/README_FILES/TLS_README:1.6 Wed Jan 2 19:18:30 2013
+++ src/external/ibm-public/postfix/dist/README_FILES/TLS_README Wed Aug 21 20:12:30 2013
@@ -462,6 +462,34 @@ host:
/etc/postfix/relay_clientcerts:
D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
+To extract the public key fingerprint from an X.509 certificate, you need to
+extract the public key from the certificate and compute the appropriate digest
+of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509"
+command extracts the public key always in "PEM" format. We pipe the result to
+another OpenSSL command that converts the key to DER and then to the "dgst"
+command to compute the fingerprint.
+
+The actual command to transform the key to DER format depends on the version of
+OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" command supports all key
+types. With OpenSSL 0.9.8 and earlier, the key type is always RSA (nobody uses
+DSA, and EC keys are not fully supported by 0.9.8), so the "rsa" command is
+used.
+
+ # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+ (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+ # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+ (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+
+Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incorrectly. To
+use public-key fingerprints, upgrade to Postfix 2.9.6 or later.
+
S�Se�er�rv�ve�er�r-�-s�si�id�de�e c�ci�ip�ph�he�er�r c�co�on�nt�tr�ro�ol�ls�s
The Postfix SMTP server supports 5 distinct cipher security levels as specified
@@ -823,6 +851,34 @@ the example above, we show two matching
match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+To extract the public key fingerprint from an X.509 certificate, you need to
+extract the public key from the certificate and compute the appropriate digest
+of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509"
+command extracts the public key always in "PEM" format. We pipe the result to
+another OpenSSL command that converts the key to DER and then to the "dgst"
+command to compute the fingerprint.
+
+The actual command to transform the key to DER format depends on the version of
+OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" command supports all key
+types. With OpenSSL 0.9.8 and earlier, the key type is always RSA (nobody uses
+DSA, and EC keys are not fully supported by 0.9.8), so the "rsa" command is
+used.
+
+ # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+ (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+ # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+ (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+
+Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incorrectly. To
+use public-key fingerprints, upgrade to Postfix 2.9.6 or later.
+
M�Ma�an�nd�da�at�to�or�ry�y s�se�er�rv�ve�er�r c�ce�er�rt�ti�if�fi�ic�ca�at�te�e v�ve�er�ri�if�fi�ic�ca�at�ti�io�on�n
At the "verify" TLS security level, messages are sent only over TLS encrypted
Index: src/external/ibm-public/postfix/dist/html/TLS_README.html
diff -u src/external/ibm-public/postfix/dist/html/TLS_README.html:1.7 src/external/ibm-public/postfix/dist/html/TLS_README.html:1.8
--- src/external/ibm-public/postfix/dist/html/TLS_README.html:1.7 Wed Jan 2 19:18:31 2013
+++ src/external/ibm-public/postfix/dist/html/TLS_README.html Wed Aug 21 20:12:30 2013
@@ -677,6 +677,39 @@ the name of the user or host:</p>
</pre>
</blockquote>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+<p> Note: Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
<p> The Postfix SMTP server supports 5 distinct cipher security levels
@@ -1074,7 +1107,7 @@ required. The certificate trust chain,
not checked. Instead, the <a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> parameter
or the "match" attribute in the <a href="#client_tls_policy">policy</a>
table lists the remote SMTP server certificate fingerprint or
-public key fingerprint (Postfix 2.9 and later).
+public key fingerprint (Postfix 2.9 and later). </p>
<p> If certificate fingerprints are exchanged securely, this is the
strongest, and least scalable security level. The administrator needs
@@ -1136,6 +1169,39 @@ As in the example above, we show two mat
</pre>
</blockquote>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+<p> Note: Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
<h4><a name="client_tls_verify"> Mandatory server certificate verification </a> </h4>
<p> At the "verify" TLS security level, messages are sent only over
Index: src/external/ibm-public/postfix/dist/html/postconf.5.html
diff -u src/external/ibm-public/postfix/dist/html/postconf.5.html:1.10 src/external/ibm-public/postfix/dist/html/postconf.5.html:1.11
--- src/external/ibm-public/postfix/dist/html/postconf.5.html:1.10 Wed Jan 2 19:18:31 2013
+++ src/external/ibm-public/postfix/dist/html/postconf.5.html Wed Aug 21 20:12:30 2013
@@ -8440,6 +8440,10 @@ D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8
an appropriate <a href="access.5.html">access(5)</a> policy for each client.
See <a href="RESTRICTION_CLASS_README.html">RESTRICTION_CLASS_README</a>.</p>
+<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
<p>This feature is available with Postfix version 2.2.</p>
@@ -10895,11 +10899,47 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32
</pre>
</blockquote>
-<p> Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher. </p>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+
+<p> The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher. </p>
+
+<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
<p> This feature is available in Postfix 2.5 and later. </p>
@@ -14688,11 +14728,47 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32
</pre>
</blockquote>
-<p> Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher. </p>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+
+<p> The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher. </p>
+
+<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
<p> Example: client-certificate access table, with sha1 fingerprints: </p>
@@ -15587,6 +15663,25 @@ OpenSSL releases. </p>
</DD>
+<DT><b><a name="tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a>
+(default: no)</b></DT><DD>
+
+<p> A temporary migration aid for sites that use certificate
+<i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use
+an incorrect algorithm. This parameter has no effect on the certificate
+fingerprint support that is available since Postfix 2.2. </p>
+
+<p> Specify "<a href="postconf.5.html#tls_legacy_public_key_fingerprint">tls_legacy_public_key_fingerprints</a> = yes" temporarily,
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate public-key finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later. To compute the correct
+certificate public-key fingerprints, see <a href="TLS_README.html">TLS_README</a>. </p>
+
+<p> This feature is available in Postfix 2.9.6 and later. </p>
+
+
+</DD>
+
<DT><b><a name="tls_low_cipherlist">tls_low_cipherlist</a>
(default: ALL:!EXPORT:+RC4:@STRENGTH)</b></DT><DD>
Index: src/external/ibm-public/postfix/dist/man/man5/postconf.5
diff -u src/external/ibm-public/postfix/dist/man/man5/postconf.5:1.10 src/external/ibm-public/postfix/dist/man/man5/postconf.5:1.11
--- src/external/ibm-public/postfix/dist/man/man5/postconf.5:1.10 Wed Jan 2 19:18:32 2013
+++ src/external/ibm-public/postfix/dist/man/man5/postconf.5 Wed Aug 21 20:12:31 2013
@@ -1,4 +1,4 @@
-.\" $NetBSD: postconf.5,v 1.10 2013/01/02 19:18:32 tron Exp $
+.\" $NetBSD: postconf.5,v 1.11 2013/08/21 20:12:31 tron Exp $
.\"
.TH POSTCONF 5
.SH NAME
@@ -4889,6 +4889,10 @@ For more fine-grained control, use check
an appropriate \fBaccess\fR(5) policy for each client.
See RESTRICTION_CLASS_README.
.PP
+\fBNote:\fR Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later.
+.PP
This feature is available with Postfix version 2.2.
.SH relay_destination_concurrency_limit (default: $default_destination_concurrency_limit)
The maximal number of parallel deliveries to the same destination
@@ -6536,11 +6540,56 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32
.ft R
.in -4
.PP
-Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher.
+To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint.
+.PP
+The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used.
+.sp
+.in +4
+.nf
+.na
+.ft C
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+.fi
+.ad
+.ft R
+.in -4
+.sp
+.in +4
+.nf
+.na
+.ft C
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+.fi
+.ad
+.ft R
+.in -4
+.PP
+The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher.
+.PP
+\fBNote:\fR Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later.
.PP
This feature is available in Postfix 2.5 and later.
.SH smtp_tls_key_file (default: $smtp_tls_cert_file)
@@ -9428,11 +9477,56 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32
.ft R
.in -4
.PP
-Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher.
+To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint.
+.PP
+The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used.
+.sp
+.in +4
+.nf
+.na
+.ft C
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+.fi
+.ad
+.ft R
+.in -4
+.sp
+.in +4
+.nf
+.na
+.ft C
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+.fi
+.ad
+.ft R
+.in -4
+.PP
+The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher.
+.PP
+\fBNote:\fR Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later.
.PP
Example: client-certificate access table, with sha1 fingerprints:
.sp
@@ -10077,6 +10171,19 @@ list when they are enabled. This prefix
OpenSSL releases.
.PP
This feature is available in Postfix 2.3 and later.
+.SH tls_legacy_public_key_fingerprints (default: no)
+A temporary migration aid for sites that use certificate
+\fIpublic-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use
+an incorrect algorithm. This parameter has no effect on the certificate
+fingerprint support that is available since Postfix 2.2.
+.PP
+Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate public-key finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later. To compute the correct
+certificate public-key fingerprints, see TLS_README.
+.PP
+This feature is available in Postfix 2.9.6 and later.
.SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH)
The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
Index: src/external/ibm-public/postfix/dist/proto/TLS_README.html
diff -u src/external/ibm-public/postfix/dist/proto/TLS_README.html:1.6 src/external/ibm-public/postfix/dist/proto/TLS_README.html:1.7
--- src/external/ibm-public/postfix/dist/proto/TLS_README.html:1.6 Wed Jan 2 19:18:33 2013
+++ src/external/ibm-public/postfix/dist/proto/TLS_README.html Wed Aug 21 20:12:31 2013
@@ -677,6 +677,39 @@ the name of the user or host:</p>
</pre>
</blockquote>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+<p> Note: Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
<p> The Postfix SMTP server supports 5 distinct cipher security levels
@@ -1074,7 +1107,7 @@ required. The certificate trust chain,
not checked. Instead, the smtp_tls_fingerprint_cert_match parameter
or the "match" attribute in the <a href="#client_tls_policy">policy</a>
table lists the remote SMTP server certificate fingerprint or
-public key fingerprint (Postfix 2.9 and later).
+public key fingerprint (Postfix 2.9 and later). </p>
<p> If certificate fingerprints are exchanged securely, this is the
strongest, and least scalable security level. The administrator needs
@@ -1136,6 +1169,39 @@ As in the example above, we show two mat
</pre>
</blockquote>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+<p> Note: Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
<h4><a name="client_tls_verify"> Mandatory server certificate verification </a> </h4>
<p> At the "verify" TLS security level, messages are sent only over
Index: src/external/ibm-public/postfix/dist/proto/postconf.proto
diff -u src/external/ibm-public/postfix/dist/proto/postconf.proto:1.10 src/external/ibm-public/postfix/dist/proto/postconf.proto:1.11
--- src/external/ibm-public/postfix/dist/proto/postconf.proto:1.10 Wed Jan 2 19:18:33 2013
+++ src/external/ibm-public/postfix/dist/proto/postconf.proto Wed Aug 21 20:12:31 2013
@@ -9065,6 +9065,10 @@ relay_clientcerts = hash:/etc/postfix/re
an appropriate access(5) policy for each client.
See RESTRICTION_CLASS_README.</p>
+<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
<p>This feature is available with Postfix version 2.2.</p>
%PARAM smtpd_tls_cipherlist
@@ -11489,11 +11493,47 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32
</pre>
</blockquote>
-<p> Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher. </p>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+
+<p> The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher. </p>
+
+<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
<p> This feature is available in Postfix 2.5 and later. </p>
@@ -11607,11 +11647,47 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32
</pre>
</blockquote>
-<p> Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher. </p>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl pkey -pubin -outform DER |
+ openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+ openssl rsa -pubin -outform DER |
+ openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+
+<p> The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher. </p>
+
+<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
<p> Example: client-certificate access table, with sha1 fingerprints: </p>
@@ -13869,6 +13945,21 @@ OpenSSL 1.0.0.</dd>
<p> This feature is available in Postfix 2.8 and later. </p>
+%PARAM tls_legacy_public_key_fingerprints no
+
+<p> A temporary migration aid for sites that use certificate
+<i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use
+an incorrect algorithm. This parameter has no effect on the certificate
+fingerprint support that is available since Postfix 2.2. </p>
+
+<p> Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate public-key finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later. To compute the correct
+certificate public-key fingerprints, see TLS_README. </p>
+
+<p> This feature is available in Postfix 2.9.6 and later. </p>
+
%PARAM tlsproxy_watchdog_timeout 10s
<p> How much time a tlsproxy(8) process may take to process local
Index: src/external/ibm-public/postfix/dist/src/global/mail_params.h
diff -u src/external/ibm-public/postfix/dist/src/global/mail_params.h:1.9 src/external/ibm-public/postfix/dist/src/global/mail_params.h:1.10
--- src/external/ibm-public/postfix/dist/src/global/mail_params.h:1.9 Wed Jan 2 19:18:34 2013
+++ src/external/ibm-public/postfix/dist/src/global/mail_params.h Wed Aug 21 20:12:31 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: mail_params.h,v 1.9 2013/01/02 19:18:34 tron Exp $ */
+/* $NetBSD: mail_params.h,v 1.10 2013/08/21 20:12:31 tron Exp $ */
#ifndef _MAIL_PARAMS_H_INCLUDED_
#define _MAIL_PARAMS_H_INCLUDED_
@@ -3037,6 +3037,10 @@ extern bool var_tls_preempt_clist;
#define DEF_TLS_BUG_TWEAKS TLS_BUG_TWEAKS
extern char *var_tls_bug_tweaks;
+#define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints"
+#define DEF_TLS_BC_PKEY_FPRINT 0
+extern bool var_tls_bc_pkey_fprint;
+
/*
* Sendmail-style mail filter support.
*/
Index: src/external/ibm-public/postfix/dist/src/tls/tls_client.c
diff -u src/external/ibm-public/postfix/dist/src/tls/tls_client.c:1.6 src/external/ibm-public/postfix/dist/src/tls/tls_client.c:1.7
--- src/external/ibm-public/postfix/dist/src/tls/tls_client.c:1.6 Wed Jan 2 19:18:36 2013
+++ src/external/ibm-public/postfix/dist/src/tls/tls_client.c Wed Aug 21 20:12:31 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: tls_client.c,v 1.6 2013/01/02 19:18:36 tron Exp $ */
+/* $NetBSD: tls_client.c,v 1.7 2013/08/21 20:12:31 tron Exp $ */
/*++
/* NAME
@@ -996,7 +996,7 @@ TLS_SESS_STATE *tls_client_start(const T
if (TLScontext->log_mask &
(TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE | TLS_LOG_PEERCERT))
msg_info("%s: subject_CN=%s, issuer_CN=%s, "
- "fingerprint %s, pkey_fingerprint=%s", props->namaddr,
+ "fingerprint=%s, pkey_fingerprint=%s", props->namaddr,
TLScontext->peer_CN, TLScontext->issuer_CN,
TLScontext->peer_fingerprint,
TLScontext->peer_pkey_fprint);
