mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-09-03 07:35:20 +00:00
Code Issues Releases Wiki Activity

Update fingerprint digest documentation

Browse Source
This commit is contained in:
Viktor Dukhovni
2017-08-15 17:38:04 +00:00
committed by Viktor Dukhovni
parent e0d44feb73
commit 7eb43e1198
1 changed files with 22 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
postfix/proto/postconf.proto
View File

@@ -12191,17 +12191,16 @@ certificate (or public/private key-pair) that has the same fingerprint. </p>
<p> The default algorithm is <b>md5</b>; this is consistent with <p> The default algorithm is <b>md5</b>; this is consistent with
the backwards compatible setting of the digest used to verify client the backwards compatible setting of the digest used to verify client
certificates in the SMTP server. </p> certificates in the SMTP server. Any other digest algorithm supported
by your OpenSSL library (and enabled via OpenSSL_add_ssl_algorithms())
may be used instead. See the manpage for the OpenSSL "dgst" command for
the list of implemented algorithms. </p>
<p> The best practice algorithm is now <b>sha1</b>. Recent advances in hash <p> Advances in hash function cryptanalysis have led to MD5 being
function cryptanalysis have led to md5 being deprecated in favor of sha1. deprecated in favor of SHA1 and more recently SHA2 (i.e. SHA224, SHA256,
However, as long as there are no known "second pre-image" attacks SHA384 and SHA512). However, as long as there are no known "second
against md5, its use in this context can still be considered safe. pre-image" attacks against MD5, its use in this context can still be
</p> considered safe. </p>
<p> While additional digest algorithms are often available with OpenSSL's
libcrypto, only those used by libssl in SSL cipher suites are available to
Postfix. For now this means just md5 or sha1. </p>
<p> To find the fingerprint of a specific certificate file, with a <p> To find the fingerprint of a specific certificate file, with a
specific digest algorithm, run: specific digest algorithm, run:
@@ -12342,21 +12341,21 @@ configuration parameter. See there for details. </p>
%PARAM smtpd_tls_fingerprint_digest md5 %PARAM smtpd_tls_fingerprint_digest md5
<p> The message digest algorithm to construct remote SMTP <p> The message digest algorithm to construct remote SMTP
client-certificate client-certificate fingerprints or public key fingerprints
fingerprints or public key fingerprints (Postfix 2.9 and later) (Postfix 2.9 and later) for <b>check_ccert_access</b> and
for <b>check_ccert_access</b> and <b>permit_tls_clientcerts</b>. The <b>permit_tls_clientcerts</b>. The default algorithm is <b>md5</b>,
default algorithm is <b>md5</b>, for backwards compatibility with Postfix for backwards compatibility with Postfix releases prior to 2.5. </p>
releases prior to 2.5. </p>
<p> Advances in hash <p> Any other digest algorithm supported by your OpenSSL library (and
function cryptanalysis have led to md5 being deprecated in favor of sha1. enabled via OpenSSL_add_ssl_algorithms()) may be used instead. See
However, as long as there are no known "second pre-image" attacks the manpage for the OpenSSL "dgst" command for the list of implemented
against md5, its use in this context can still be considered safe. algorithms. </p>
</p>
<p> While additional digest algorithms are often available with OpenSSL's <p> Advances in hash function cryptanalysis have led to MD5 being
libcrypto, only those used by libssl in SSL cipher suites are available to deprecated in favor of SHA1 and more recently SHA2 (i.e. SHA224, SHA256,
Postfix. </p> SHA384 and SHA512). However, as long as there are no known "second
pre-image" attacks against MD5, its use in this context can still be
considered safe. </p>
<p> To find the fingerprint of a specific certificate file, with a <p> To find the fingerprint of a specific certificate file, with a
specific digest algorithm, run: </p> specific digest algorithm, run: </p>