|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: "TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable" problem on Solaris 10 + possible solution
From: Victor Duchovni (Victor.Duchovni
MorganStanley.com)
Date: Mon Jan 22 2007 - 09:57:27 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Jan 22, 2007 at 10:30:01AM -0500, Wietse Venema wrote:
> Victor Duchovni:
> > On Mon, Jan 22, 2007 at 04:07:15PM +0100, Lars Olafsen wrote:
> >
> > > There also seems to be two other solutions to this problem - I did not
> > > try these:
> > > - Compile your own openssl libraries
> >
> > Do this. And use OpenSSL 0.9.7l or 0.9.8d, all other versions have known
> > security problems.
>
> Is there a way tat Postfix could find out that the run-time
> infrastructure does not implement "HIGH" strength levels?
The funny thing is that the OpenSSL cipher syntax does not mandate
that all of the mentioned keywords map to a known cipher. For example:
$ openssl ciphers -v HIGH:INSANELYHIGH | wc -l
13
$ openssl ciphers -v HIGH | wc -l
13
I made up "INSANELYHIGH" there are no such ciphers. Unsupported ciphers
in the cipherlist do no harm. The OP's problem is that he has an OpenSSL
library built to "know" about the high grade ciphers, and then fail when
they are used. This is a broken OpenSSL build.
The OP should report the output of:
$ echo medium
$ openssl ciphers -v MEDIUM
$ echo medium+high
$ openssl ciphers -v MEDIUM:HIGH
I am very curious to see what that reports. It should produce identical
output for both and throw no errors if "HIGH" is used.
It is really not practical to try to work around such breakage...
In Postfix 2.4, the "mandatory encryption" cipherlist is validated
in the SSL client when the TLS engine is started, this may produce an
early/clear warning of configuration issues before sessions are attempted.
Perhaps the client could also pre-validate the export cipherlist, and we
could do likewise in the server. It is less obvious that we can figure out
which element of a given cipherlist is responsible for any problem.
Sun's OpenSSL build is fubared I think...
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]