error propagation in tlsproxy(8) resulting in segfault after
TLS handshake error. Found during code maintenance. File:
tlsproxy/tlsproxy.c.
+
+20180617
+
+ Bugfix (introduced: Postfix 2.11): minor memory leak when
+ minting issuer certs. This affects a tiny minority of use
+ cases. Viktor Dukhovni, based on a fix by Juan Altmayer
+ Pizzorno for the ssl_dane library.
+
+20181104
+
+ Multiple 'bit rot' fixes for OpenSSL API changes, including
+ support to disable TLSv1.3, to avoid issuing multiple session
+ tickets, and to allow OpenSSL >= 1.1.0 run-time micro version
+ bumps without complaining about library version mismatches.
+ Viktor Dukhovni. Files: proto/postconf.proto,
+ proto/TLS_README.html, tls/tls.h, tls/tls_dane.c,
+ tls/tls_server.c, tls/tls_misc.c.
smtpd_starttls_timeout = 300s
With Postfix 2.8 and later, the tls_disable_workarounds parameter specifies a
-list or bit-mask of OpenSSL bug work-arounds to disable. This may be necessary
-if one of the work-arounds enabled by default in OpenSSL proves to pose a
-security risk, or introduces an unexpected interoperability issue. Some bug
-work-arounds known to be problematic are disabled in the default value of the
-parameter when linked with an OpenSSL library that could be vulnerable.
+list or bit-mask of default-enabled OpenSSL bug work-arounds to disable. This
+may be necessary if one of the work-arounds enabled by default in OpenSSL
+proves to pose a security risk, or introduces an unexpected interoperability
+issue. The list of enabled bug work-arounds is OpenSSL-release-specific. See
+the tls_disable_workarounds parameter documentation for the list of supported
+values.
Example:
below, or a hexadecimal bitmask of options found in the ssl.h file
corresponding to the run-time OpenSSL library. While it may be reasonable to
turn off all bug workarounds (see above), it is not a good idea to attempt to
-turn on all features.
+turn on all features. See the tls_ssl_options parameter documentation for the
+list of supported values.
-L\bLE\bEG\bGA\bAC\bCY\bY_\b_S\bSE\bER\bRV\bVE\bER\bR_\b_C\bCO\bON\bNN\bNE\bEC\bCT\bT
- See SSL_CTX_set_options(3).
-N\bNO\bO_\b_T\bTI\bIC\bCK\bKE\bET\bT
- See SSL_CTX_set_options(3).
-N\bNO\bO_\b_C\bCO\bOM\bMP\bPR\bRE\bES\bSS\bSI\bIO\bON\bN
- Disable SSL compression even if supported by the OpenSSL library.
- Compression is CPU-intensive, and compression before encryption does not
- always improve security.
Example:
/etc/postfix/main.cf:
</blockquote>
<p> With Postfix 2.8 and later, the <a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> parameter
-specifies a list or bit-mask of OpenSSL bug work-arounds to disable. This
-may be necessary if one of the work-arounds enabled by default in
-OpenSSL proves to pose a security risk, or introduces an unexpected
-interoperability issue. Some bug work-arounds known to be problematic
-are disabled in the default value of the parameter when linked with
-an OpenSSL library that could be vulnerable. </p>
+specifies a list or bit-mask of default-enabled OpenSSL bug
+work-arounds to disable. This may be necessary if one of the
+work-arounds enabled by default in OpenSSL proves to pose a security
+risk, or introduces an unexpected interoperability issue. The list
+of enabled bug work-arounds is OpenSSL-release-specific. See the
+<a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> parameter documentation for the list of
+supported values.</p>
<p> Example: </p>
found in the ssl.h file corresponding to the run-time OpenSSL
library. While it may be reasonable to turn off all bug workarounds
(see above), it is not a good idea to attempt to turn on all features.
-</p>
-
-<dl>
-
-<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
-
-<dt><b>NO_TICKET</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
-
-<dt><b>NO_COMPRESSION</b></dt> <dd>Disable SSL compression even if
-supported by the OpenSSL library. Compression is CPU-intensive,
-and compression before encryption does not always improve security. </dd>
-
-</dl>
+See the <a href="postconf.5.html#tls_ssl_options">tls_ssl_options</a> parameter documentation for the list of
+supported values. </p>
<p> Example: </p>
<p> The range of protocols advertised by an SSL/TLS client must be
contiguous. When a protocol version is enabled, disabling any
-higher version implicitly disables all versions above that higher
-version. Thus, for example: </p>
+higher version implicitly disables all versions above that higher version.
+Thus, for example (assuming the OpenSSL library supports both SSLv2
+and SSLv3):
+</p>
<blockquote>
<pre>
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !TLSv1
versions of Postfix ≥ 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2". </p>
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+this can be disabled, if need be, via "!TLSv1.3". </p>
+
<p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
<a href="TLS_README.html#client_tls_dane">dane-only</a> security
levels, when usable TLSA records are obtained for the remote SMTP
<p> The range of protocols advertised by an SSL/TLS client must be
contiguous. When a protocol version is enabled, disabling any
-higher version implicitly disables all versions above that higher
-version. Thus, for example: </p>
+higher version implicitly disables all versions above that higher version.
+Thus, for example (assuming the OpenSSL library supports both SSLv2
+and SSLv3):
+</p>
<blockquote>
<pre>
-<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !TLSv1
+<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !TLSv1
</pre>
</blockquote>
<p> also disables any protocols version higher than TLSv1 leaving
versions of Postfix ≥ 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2"</p>
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+this can be disabled, if need be, via "!TLSv1.3". </p>
+
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+this can be disabled, if need be, via "!TLSv1.3". </p>
+
<p> Example: </p>
<pre>
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+this can be disabled, if need be, via "!TLSv1.3". </p>
+
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
<dl>
-<dt><b>MICROSOFT_SESS_ID_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+<dt><b>CRYPTOPRO_TLSEXT_BUG</b></dt> <dd>New with GOST support in
+OpenSSL 1.0.0.</dd>
-<dt><b>NETSCAPE_CHALLENGE_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
-<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b></dt> <dd> also aliased
-as <b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by
-default with OpenSSL versions that may predate the fix. Fixed in
-OpenSSL 0.9.8q and OpenSSL 1.0.0c.</dd>
-
-<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b></dt> <dd>See
-SSL_CTX_set_options(3)</dd>
-
<dt><b>MICROSOFT_BIG_SSLV3_BUFFER</b></dt> <dd>See
SSL_CTX_set_options(3)</dd>
+<dt><b>MICROSOFT_SESS_ID_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
<dt><b>MSIE_SSLV2_RSA_PADDING</b></dt> <dd> also aliased as
<b>CVE-2005-2969</b>. Postfix 2.8 disables this work-around by
default with OpenSSL versions that may predate the fix. Fixed in
OpenSSL 0.9.7h and OpenSSL 0.9.8a.</dd>
+<dt><b>NETSCAPE_CHALLENGE_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b></dt> <dd> also aliased
+as <b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by
+default with OpenSSL versions that may predate the fix. Fixed in
+OpenSSL 0.9.8q and OpenSSL 1.0.0c.</dd>
+
<dt><b>SSLEAY_080_CLIENT_DH_BUG</b></dt> <dd>See
SSL_CTX_set_options(3)</dd>
-<dt><b>TLS_D5_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
<dt><b>TLS_BLOCK_PADDING_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+<dt><b>TLS_D5_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
<dt><b>TLS_ROLLBACK_BUG</b></dt> <dd>See SSL_CTX_set_options(3).
This is disabled in OpenSSL 0.9.7 and later. Nobody should still
be using 0.9.6! </dd>
-<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b></dt> <dd>See
-SSL_CTX_set_options(3)</dd>
-
-<dt><b>CRYPTOPRO_TLSEXT_BUG</b></dt> <dd>New with GOST support in
-OpenSSL 1.0.0.</dd>
+<dt><b>TLSEXT_PADDING</b></dt><dd>Postfix ≥ 3.4. See SSL_CTX_set_options(3).</dd>
</dl>
You can only enable options not already controlled by other Postfix
settings. For example, you cannot disable protocols or enable
server cipher preference. Do not attempt to turn all features by
-specifying 0xFFFFFFFF, this is unlikely to be a good idea. </p>
+specifying 0xFFFFFFFF, this is unlikely to be a good idea. Some
+bug work-arounds are also valid here, allowing them to be re-enabled
+if/when they're no longer enabled by default. The supported values
+include: </p>
<dl>
+<dt><b>ENABLE_MIDDLEBOX_COMPAT</b></dt> <dd>Postfix ≥ 3.4. See
+SSL_CTX_set_options(3).</dd>
+
<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
-<dt><b>NO_TICKET</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
+<dt><b>NO_TICKET</b></dt> <dd>Enabled by default when needed in
+fully-patched Postfix ≥ 2.7. Not needed at all for Postfix ≥
+2.11, unless for some reason you do not want to support TLS session
+resumption. Best not set explicitly. See SSL_CTX_set_options(3).</dd>
<dt><b>NO_COMPRESSION</b></dt> <dd>Disable SSL compression even if
supported by the OpenSSL library. Compression is CPU-intensive,
and compression before encryption does not always improve security. </dd>
+<dt><b>NO_RENEGOTIATION</b></dt> <dd>Postfix ≥ 3.4. This can
+reduce opportunities for a potential CPU exhaustion attack. See
+SSL_CTX_set_options(3).</dd>
+
+<dt><b>NO_SESSION_RESUMPTION_ON_RENEGOTIATION</b></dt> <dd>Postfix
+≥ 3.4. See SSL_CTX_set_options(3).</dd>
+
+<dt><b>PRIORITIZE_CHACHA</b></dt> <dd>Postfix ≥ 3.4. See SSL_CTX_set_options(3).</dd>
+
+<dt><b>TLSEXT_PADDING</b></dt> <dd>Postfix ≥ 3.4. See
+SSL_CTX_set_options(3).</dd>
+
</dl>
<p> This feature is available in Postfix 2.11 and later. </p>
.PP
The range of protocols advertised by an SSL/TLS client must be
contiguous. When a protocol version is enabled, disabling any
-higher version implicitly disables all versions above that higher
-version. Thus, for example:
+higher version implicitly disables all versions above that higher version.
+Thus, for example (assuming the OpenSSL library supports both SSLv2
+and SSLv3):
.sp
.in +4
.nf
versions of Postfix >= 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2".
.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4,
+this can be disabled, if need be, via "!TLSv1.3".
+.PP
At the dane and
dane\-only security
levels, when usable TLSA records are obtained for the remote SMTP
.PP
The range of protocols advertised by an SSL/TLS client must be
contiguous. When a protocol version is enabled, disabling any
-higher version implicitly disables all versions above that higher
-version. Thus, for example:
+higher version implicitly disables all versions above that higher version.
+Thus, for example (assuming the OpenSSL library supports both SSLv2
+and SSLv3):
.sp
.in +4
.nf
.na
.ft C
-smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
+smtp_tls_protocols = !SSLv2, !TLSv1
.fi
.ad
.ft R
versions of Postfix >= 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2"
.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4,
+this can be disabled, if need be, via "!TLSv1.3".
+.PP
To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
"TLSv1.2".
.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4,
+this can be disabled, if need be, via "!TLSv1.3".
+.PP
Example:
.PP
.nf
versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
"TLSv1.2".
.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4,
+this can be disabled, if need be, via "!TLSv1.3".
+.PP
To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
is possible that your OpenSSL version includes new bug work\-arounds
added after your Postfix source code was last updated, in that case
you can only disable one of these via the hexadecimal syntax above.
-.IP "\fBMICROSOFT_SESS_ID_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+.IP "\fBCRYPTOPRO_TLSEXT_BUG\fR"
+New with GOST support in
+OpenSSL 1.0.0.
.br
-.IP "\fBNETSCAPE_CHALLENGE_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+.IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fR"
+See
+SSL_CTX_\fBset_options\fR(3)
.br
.IP "\fBLEGACY_SERVER_CONNECT\fR"
See SSL_CTX_\fBset_options\fR(3)
.br
-.IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR"
-also aliased
-as \fBCVE\-2010\-4180\fR. Postfix 2.8 disables this work\-around by
-default with OpenSSL versions that may predate the fix. Fixed in
-OpenSSL 0.9.8q and OpenSSL 1.0.0c.
-.br
-.IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fR"
-See
-SSL_CTX_\fBset_options\fR(3)
-.br
.IP "\fBMICROSOFT_BIG_SSLV3_BUFFER\fR"
See
SSL_CTX_\fBset_options\fR(3)
.br
+.IP "\fBMICROSOFT_SESS_ID_BUG\fR"
+See SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBMSIE_SSLV2_RSA_PADDING\fR"
also aliased as
\fBCVE\-2005\-2969\fR. Postfix 2.8 disables this work\-around by
default with OpenSSL versions that may predate the fix. Fixed in
OpenSSL 0.9.7h and OpenSSL 0.9.8a.
.br
+.IP "\fBNETSCAPE_CHALLENGE_BUG\fR"
+See SSL_CTX_\fBset_options\fR(3)
+.br
+.IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR"
+also aliased
+as \fBCVE\-2010\-4180\fR. Postfix 2.8 disables this work\-around by
+default with OpenSSL versions that may predate the fix. Fixed in
+OpenSSL 0.9.8q and OpenSSL 1.0.0c.
+.br
.IP "\fBSSLEAY_080_CLIENT_DH_BUG\fR"
See
SSL_CTX_\fBset_options\fR(3)
.br
-.IP "\fBTLS_D5_BUG\fR"
-See SSL_CTX_\fBset_options\fR(3)
+.IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fR"
+See
+SSL_CTX_\fBset_options\fR(3)
.br
.IP "\fBTLS_BLOCK_PADDING_BUG\fR"
See SSL_CTX_\fBset_options\fR(3)
.br
+.IP "\fBTLS_D5_BUG\fR"
+See SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBTLS_ROLLBACK_BUG\fR"
See SSL_CTX_\fBset_options\fR(3).
This is disabled in OpenSSL 0.9.7 and later. Nobody should still
be using 0.9.6!
.br
-.IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fR"
-See
-SSL_CTX_\fBset_options\fR(3)
-.br
-.IP "\fBCRYPTOPRO_TLSEXT_BUG\fR"
-New with GOST support in
-OpenSSL 1.0.0.
+.IP "\fBTLSEXT_PADDING\fR"
+Postfix >= 3.4. See SSL_CTX_\fBset_options\fR(3).
.br
.br
.PP
You can only enable options not already controlled by other Postfix
settings. For example, you cannot disable protocols or enable
server cipher preference. Do not attempt to turn all features by
-specifying 0xFFFFFFFF, this is unlikely to be a good idea.
+specifying 0xFFFFFFFF, this is unlikely to be a good idea. Some
+bug work\-arounds are also valid here, allowing them to be re\-enabled
+if/when they're no longer enabled by default. The supported values
+include:
+.IP "\fBENABLE_MIDDLEBOX_COMPAT\fR"
+Postfix >= 3.4. See
+SSL_CTX_\fBset_options\fR(3).
+.br
.IP "\fBLEGACY_SERVER_CONNECT\fR"
See SSL_CTX_\fBset_options\fR(3).
.br
.IP "\fBNO_TICKET\fR"
-See SSL_CTX_\fBset_options\fR(3).
+Enabled by default when needed in
+fully\-patched Postfix >= 2.7. Not needed at all for Postfix >=
+2.11, unless for some reason you do not want to support TLS session
+resumption. Best not set explicitly. See SSL_CTX_\fBset_options\fR(3).
.br
.IP "\fBNO_COMPRESSION\fR"
Disable SSL compression even if
supported by the OpenSSL library. Compression is CPU\-intensive,
and compression before encryption does not always improve security.
.br
+.IP "\fBNO_RENEGOTIATION\fR"
+Postfix >= 3.4. This can
+reduce opportunities for a potential CPU exhaustion attack. See
+SSL_CTX_\fBset_options\fR(3).
+.br
+.IP "\fBNO_SESSION_RESUMPTION_ON_RENEGOTIATION\fR"
+Postfix
+>= 3.4. See SSL_CTX_\fBset_options\fR(3).
+.br
+.IP "\fBPRIORITIZE_CHACHA\fR"
+Postfix >= 3.4. See SSL_CTX_\fBset_options\fR(3).
+.br
+.IP "\fBTLSEXT_PADDING\fR"
+Postfix >= 3.4. See
+SSL_CTX_\fBset_options\fR(3).
+.br
.br
.PP
This feature is available in Postfix 2.11 and later.
</blockquote>
<p> With Postfix 2.8 and later, the tls_disable_workarounds parameter
-specifies a list or bit-mask of OpenSSL bug work-arounds to disable. This
-may be necessary if one of the work-arounds enabled by default in
-OpenSSL proves to pose a security risk, or introduces an unexpected
-interoperability issue. Some bug work-arounds known to be problematic
-are disabled in the default value of the parameter when linked with
-an OpenSSL library that could be vulnerable. </p>
+specifies a list or bit-mask of default-enabled OpenSSL bug
+work-arounds to disable. This may be necessary if one of the
+work-arounds enabled by default in OpenSSL proves to pose a security
+risk, or introduces an unexpected interoperability issue. The list
+of enabled bug work-arounds is OpenSSL-release-specific. See the
+tls_disable_workarounds parameter documentation for the list of
+supported values.</p>
<p> Example: </p>
found in the ssl.h file corresponding to the run-time OpenSSL
library. While it may be reasonable to turn off all bug workarounds
(see above), it is not a good idea to attempt to turn on all features.
-</p>
-
-<dl>
-
-<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
-
-<dt><b>NO_TICKET</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
-
-<dt><b>NO_COMPRESSION</b></dt> <dd>Disable SSL compression even if
-supported by the OpenSSL library. Compression is CPU-intensive,
-and compression before encryption does not always improve security. </dd>
-
-</dl>
+See the tls_ssl_options parameter documentation for the list of
+supported values. </p>
<p> Example: </p>
<p> The range of protocols advertised by an SSL/TLS client must be
contiguous. When a protocol version is enabled, disabling any
-higher version implicitly disables all versions above that higher
-version. Thus, for example: </p>
+higher version implicitly disables all versions above that higher version.
+Thus, for example (assuming the OpenSSL library supports both SSLv2
+and SSLv3):
+</p>
<blockquote>
<pre>
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
versions of Postfix ≥ 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2". </p>
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+this can be disabled, if need be, via "!TLSv1.3". </p>
+
<p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
<a href="TLS_README.html#client_tls_dane">dane-only</a> security
levels, when usable TLSA records are obtained for the remote SMTP
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+this can be disabled, if need be, via "!TLSv1.3". </p>
+
<p> Example: </p>
<pre>
<p> The range of protocols advertised by an SSL/TLS client must be
contiguous. When a protocol version is enabled, disabling any
-higher version implicitly disables all versions above that higher
-version. Thus, for example: </p>
+higher version implicitly disables all versions above that higher version.
+Thus, for example (assuming the OpenSSL library supports both SSLv2
+and SSLv3):
+</p>
<blockquote>
<pre>
-smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
+smtp_tls_protocols = !SSLv2, !TLSv1
</pre>
</blockquote>
<p> also disables any protocols version higher than TLSv1 leaving
versions of Postfix ≥ 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2"</p>
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+this can be disabled, if need be, via "!TLSv1.3". </p>
+
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+this can be disabled, if need be, via "!TLSv1.3". </p>
+
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
<dl>
-<dt><b>MICROSOFT_SESS_ID_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+<dt><b>CRYPTOPRO_TLSEXT_BUG</b></dt> <dd>New with GOST support in
+OpenSSL 1.0.0.</dd>
-<dt><b>NETSCAPE_CHALLENGE_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
-<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b></dt> <dd> also aliased
-as <b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by
-default with OpenSSL versions that may predate the fix. Fixed in
-OpenSSL 0.9.8q and OpenSSL 1.0.0c.</dd>
-
-<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b></dt> <dd>See
-SSL_CTX_set_options(3)</dd>
-
<dt><b>MICROSOFT_BIG_SSLV3_BUFFER</b></dt> <dd>See
SSL_CTX_set_options(3)</dd>
+<dt><b>MICROSOFT_SESS_ID_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
<dt><b>MSIE_SSLV2_RSA_PADDING</b></dt> <dd> also aliased as
<b>CVE-2005-2969</b>. Postfix 2.8 disables this work-around by
default with OpenSSL versions that may predate the fix. Fixed in
OpenSSL 0.9.7h and OpenSSL 0.9.8a.</dd>
+<dt><b>NETSCAPE_CHALLENGE_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b></dt> <dd> also aliased
+as <b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by
+default with OpenSSL versions that may predate the fix. Fixed in
+OpenSSL 0.9.8q and OpenSSL 1.0.0c.</dd>
+
<dt><b>SSLEAY_080_CLIENT_DH_BUG</b></dt> <dd>See
SSL_CTX_set_options(3)</dd>
-<dt><b>TLS_D5_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
<dt><b>TLS_BLOCK_PADDING_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+<dt><b>TLS_D5_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
<dt><b>TLS_ROLLBACK_BUG</b></dt> <dd>See SSL_CTX_set_options(3).
This is disabled in OpenSSL 0.9.7 and later. Nobody should still
be using 0.9.6! </dd>
-<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b></dt> <dd>See
-SSL_CTX_set_options(3)</dd>
-
-<dt><b>CRYPTOPRO_TLSEXT_BUG</b></dt> <dd>New with GOST support in
-OpenSSL 1.0.0.</dd>
+<dt><b>TLSEXT_PADDING</b></dt><dd>Postfix ≥ 3.4. See SSL_CTX_set_options(3).</dd>
</dl>
You can only enable options not already controlled by other Postfix
settings. For example, you cannot disable protocols or enable
server cipher preference. Do not attempt to turn all features by
-specifying 0xFFFFFFFF, this is unlikely to be a good idea. </p>
+specifying 0xFFFFFFFF, this is unlikely to be a good idea. Some
+bug work-arounds are also valid here, allowing them to be re-enabled
+if/when they're no longer enabled by default. The supported values
+include: </p>
<dl>
+<dt><b>ENABLE_MIDDLEBOX_COMPAT</b></dt> <dd>Postfix ≥ 3.4. See
+SSL_CTX_set_options(3).</dd>
+
<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
-<dt><b>NO_TICKET</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
+<dt><b>NO_TICKET</b></dt> <dd>Enabled by default when needed in
+fully-patched Postfix ≥ 2.7. Not needed at all for Postfix ≥
+2.11, unless for some reason you do not want to support TLS session
+resumption. Best not set explicitly. See SSL_CTX_set_options(3).</dd>
<dt><b>NO_COMPRESSION</b></dt> <dd>Disable SSL compression even if
supported by the OpenSSL library. Compression is CPU-intensive,
and compression before encryption does not always improve security. </dd>
+<dt><b>NO_RENEGOTIATION</b></dt> <dd>Postfix ≥ 3.4. This can
+reduce opportunities for a potential CPU exhaustion attack. See
+SSL_CTX_set_options(3).</dd>
+
+<dt><b>NO_SESSION_RESUMPTION_ON_RENEGOTIATION</b></dt> <dd>Postfix
+≥ 3.4. See SSL_CTX_set_options(3).</dd>
+
+<dt><b>PRIORITIZE_CHACHA</b></dt> <dd>Postfix ≥ 3.4. See SSL_CTX_set_options(3).</dd>
+
+<dt><b>TLSEXT_PADDING</b></dt> <dd>Postfix ≥ 3.4. See
+SSL_CTX_set_options(3).</dd>
+
</dl>
<p> This feature is available in Postfix 2.11 and later. </p>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20180519"
-#define MAIL_VERSION_NUMBER "3.1.9"
+#define MAIL_RELEASE_DATE "20181104"
+#define MAIL_VERSION_NUMBER "3.1.10-RC1"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
#define ASN1_STRING_get0_data ASN1_STRING_data
#define X509_getm_notBefore X509_get_notBefore
#define X509_getm_notAfter X509_get_notAfter
+#endif
+
+ /* Backwards compatibility with OpenSSL < 1.1.1 */
+#if OPENSSL_VERSION_NUMBER < 0x1010100fUL
+#define SSL_CTX_set_num_tickets(ctx, num) ((void)0)
#endif
/* SSL_CIPHER_get_name() got constified in 0.9.7g */
#define SSL_OP_NO_TLSv1_2 0L /* Noop */
#endif
-#ifdef SSL_TXT_TLSV1_3
+ /*
+ * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our
+ * own.
+ */
+#define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3"
+
+#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3)
#define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */
#else
-#define SSL_TXT_TLSV1_3 "TLSv1.3"
#define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */
#undef SSL_OP_NO_TLSv1_3
#define SSL_OP_NO_TLSv1_3 0L /* Noop */
#define TLS_KNOWN_PROTOCOLS \
( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
- | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
+ | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 )
#define TLS_SSL_OP_PROTOMASK(m) \
((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \
| (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \
return (matched);
}
-/* push_ext - push extension onto certificate's stack, else free it */
-
-static int push_ext(X509 *cert, X509_EXTENSION *ext)
-{
- if (ext) {
- if (X509_add_ext(cert, ext, -1))
- return 1;
- X509_EXTENSION_free(ext);
- }
- return 0;
-}
-
/* add_ext - add simple extension (no config section references) */
static int add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
{
+ int ret = 0;
X509V3_CTX v3ctx;
+ X509_EXTENSION *ext;
X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
- return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
+ if ((ext = X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val)) != 0) {
+ ret = X509_add_ext(subject, ext, -1);
+ X509_EXTENSION_free(ext);
+ }
+ return ret;
}
/* set_serial - set serial number to match akid or use subject's plus 1 */
SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
- SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
+ TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
0, TLS_PROTOCOL_INVALID,
};
#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0
#endif
NAMEBUG(CRYPTOPRO_TLSEXT_BUG),
+
+#ifndef SSL_OP_TLSEXT_PADDING
+#define SSL_OP_TLSEXT_PADDING 0
+#endif
+ NAMEBUG(TLSEXT_PADDING),
+
+#if 0
+
+ /*
+ * XXX: New with OpenSSL 1.1.1, this is turned on implicitly in
+ * SSL_CTX_new() and is not included in SSL_OP_ALL. Allowing users to
+ * disable this would thus a code change that would clearing bug
+ * work-around bits in SSL_CTX, after setting SSL_OP_ALL. Since this is
+ * presumably required for TLS 1.3 on today's Internet, the code change
+ * will be done separately later. For now this implicit bug work-around
+ * cannot be disabled via supported Postfix mechanisms.
+ */
+#ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+#define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0
+#endif
+ NAMEBUG(ENABLE_MIDDLEBOX_COMPAT),
+#endif
+
0, 0,
};
#define SSL_OP_NO_COMPRESSION 0
#endif
NAME_SSL_OP(NO_COMPRESSION),
+
+#ifndef SSL_OP_NO_RENEGOTIATION
+#define SSL_OP_NO_RENEGOTIATION 0
+#endif
+ NAME_SSL_OP(NO_RENEGOTIATION),
+
+#ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
+#endif
+ NAME_SSL_OP(NO_SESSION_RESUMPTION_ON_RENEGOTIATION),
+
+#ifndef SSL_OP_PRIORITIZE_CHACHA
+#define SSL_OP_PRIORITIZE_CHACHA 0
+#endif
+ NAME_SSL_OP(PRIORITIZE_CHACHA),
+
+#ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+#define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0
+#endif
+ NAME_SSL_OP(ENABLE_MIDDLEBOX_COMPAT),
+
0, 0,
};
tls_version_split(OPENSSL_VERSION_NUMBER, &hdr_info);
tls_version_split(OpenSSL_version_num(), &lib_info);
+ /*
+ * Warn if run-time library is different from compile-time library,
+ * allowing later run-time "micro" versions starting with 1.1.0.
+ */
if (lib_info.major != hdr_info.major
|| lib_info.minor != hdr_info.minor
- || lib_info.micro != hdr_info.micro)
+ || (lib_info.micro != hdr_info.micro
+ && (lib_info.micro < hdr_info.micro
+ || hdr_info.major == 0
+ || (hdr_info.major == 1 && hdr_info.minor == 0))))
msg_warn("run-time library vs. compile-time header version mismatch: "
"OpenSSL %d.%d.%d may not be compatible with OpenSSL %d.%d.%d",
lib_info.major, lib_info.minor, lib_info.micro,
ticketable = 0;
}
}
- if (ticketable)
+ if (ticketable) {
SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_cb);
+
+ /*
+ * OpenSSL 1.1.1 introduces support for TLS 1.3, which can issue more
+ * than one ticket per handshake. While this may be appropriate for
+ * communication between browsers and webservers, it is not terribly
+ * useful for MTAs, many of which other than Postfix don't do TLS
+ * session caching at all, and Postfix has no mechanism for storing
+ * multiple session tickets, if more than one sent, the second
+ * clobbers the first. OpenSSL 1.1.1 servers default to issuing two
+ * tickets for non-resumption handshakes, we reduce this to one. Our
+ * ticket decryption callback already (since 2.11) asks OpenSSL to
+ * avoid issuing new tickets when the presented ticket is re-usable.
+ */
+ SSL_CTX_set_num_tickets(server_ctx, 1);
+ }
#endif
if (!ticketable)
off |= SSL_OP_NO_TICKET;
projects / thirdparty / postfix.git / commitdiff
