mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 21:55:20 +00:00
Code Issues Releases Wiki Activity

Update fingerprint digest documentation

Browse Source
This commit is contained in:
Viktor Dukhovni
2017-08-15 17:38:04 +00:00
committed by Viktor Dukhovni
parent e0d44feb73
commit 7eb43e1198
1 changed files with 22 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
postfix/proto/postconf.proto
View File

@@ -12191,17 +12191,16 @@ certificate (or public/private key-pair) that has the same fingerprint. </p>
<p> The default algorithm is <b>md5</b>; this is consistent with
the backwards compatible setting of the digest used to verify client
certificates in the SMTP server. </p>
certificates in the SMTP server. Any other digest algorithm supported
by your OpenSSL library (and enabled via OpenSSL_add_ssl_algorithms())
may be used instead. See the manpage for the OpenSSL "dgst" command for
the list of implemented algorithms. </p>
<p> The best practice algorithm is now <b>sha1</b>. Recent advances in hash
function cryptanalysis have led to md5 being deprecated in favor of sha1.
However, as long as there are no known "second pre-image" attacks
against md5, its use in this context can still be considered safe.
</p>
<p> While additional digest algorithms are often available with OpenSSL's
libcrypto, only those used by libssl in SSL cipher suites are available to
Postfix. For now this means just md5 or sha1. </p>
<p> Advances in hash function cryptanalysis have led to MD5 being
deprecated in favor of SHA1 and more recently SHA2 (i.e. SHA224, SHA256,
SHA384 and SHA512). However, as long as there are no known "second
pre-image" attacks against MD5, its use in this context can still be
considered safe. </p>
<p> To find the fingerprint of a specific certificate file, with a
specific digest algorithm, run:
@@ -12342,21 +12341,21 @@ configuration parameter. See there for details. </p>
%PARAM smtpd_tls_fingerprint_digest md5
<p> The message digest algorithm to construct remote SMTP
client-certificate
fingerprints or public key fingerprints (Postfix 2.9 and later)
for <b>check_ccert_access</b> and <b>permit_tls_clientcerts</b>. The
default algorithm is <b>md5</b>, for backwards compatibility with Postfix
releases prior to 2.5. </p>
client-certificate fingerprints or public key fingerprints
(Postfix 2.9 and later) for <b>check_ccert_access</b> and
<b>permit_tls_clientcerts</b>. The default algorithm is <b>md5</b>,
for backwards compatibility with Postfix releases prior to 2.5. </p>
<p> Advances in hash
function cryptanalysis have led to md5 being deprecated in favor of sha1.
However, as long as there are no known "second pre-image" attacks
against md5, its use in this context can still be considered safe.
</p>
<p> Any other digest algorithm supported by your OpenSSL library (and
enabled via OpenSSL_add_ssl_algorithms()) may be used instead. See
the manpage for the OpenSSL "dgst" command for the list of implemented
algorithms. </p>
<p> While additional digest algorithms are often available with OpenSSL's
libcrypto, only those used by libssl in SSL cipher suites are available to
Postfix. </p>
<p> Advances in hash function cryptanalysis have led to MD5 being
deprecated in favor of SHA1 and more recently SHA2 (i.e. SHA224, SHA256,
SHA384 and SHA512). However, as long as there are no known "second
pre-image" attacks against MD5, its use in this context can still be
considered safe. </p>
<p> To find the fingerprint of a specific certificate file, with a
specific digest algorithm, run: </p>