The prioritized list of elliptic curves supported by the Postfix -SMTP client and server. These curves are used by the Postfix SMTP -server when "smtpd_tls_eecdh_grade = auto". The selected curves must be -implemented by OpenSSL and be standardized for use in TLS (RFC 8422). -It is unwise to list only "bleeding-edge" curves supported by a small -subset of clients. The default list is suitable for most users.
+The prioritized list of elliptic curves, that should be enabled in the +Postfix SMTP client and server. These are used by the Postfix SMTP server when +"smtpd_tls_eecdh_grade = auto". The selected curves should be implemented +by OpenSSL and be standardized for use in the TLS "supported groups" extension +(RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and +"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256"). The default +list is suitable for most users.
-Postfix skips curve names that are unknown to OpenSSL, or that -are known but not yet implemented. This makes it possible to -"anticipate" support for curves that should be used once they become -available. In particular, in some OpenSSL versions, the new RFC -8031 curves "X25519" and "X448" may be known by name, but ECDH -support for either or both may be missing. These curves may appear -in the default value of this parameter, even though they'll only -be usable with later versions of OpenSSL.
+On the client side, the first curve listed will be used to construct the +client's initial TLS 1.3 "keyshare". If this is not supported by the server, +the TLS handshake may require an additional round-trip after the server issues +a HelloRetryRequest (HRR) indicating a suitable mutually supported curve.
+ +Postfix skips curve names that are unknown to OpenSSL, or that are known +but not yet implemented. This makes it possible to "anticipate" support for +curves that should be used once they become available, or to deploy the same +setting on a server "farm" where not all servers support the same curves.
+ +As of Postfix 3.10, when compiled with OpenSSL 3.0 or later, the "curve" +names can be more general key encapsulation mechanisms (KEMs), and/or may be +loaded from an external "provider" (via a suitable tls_config_file).
See also the "tls_ffdhe_auto_groups" parameter, which supports customizing the list of FFDHE groups enabled with TLS 1.3. That setting @@ -20293,10 +20299,10 @@ EC key agreement in OpenSSL 3.0 and later. Note that at least one of this is required by OpenSSL 3.0. If both are inadvertently set empty, Postfix will fall back to the compiled-in defaults.
-All the default groups and EC curves should sufficiently strong -to make "pruning" the defaults unwise. At a minimum, "X25519" and -"P-256" (a.k.a. "prime256v1") should be among the enabled EC curves, -while "dhe2048" and "dhe3072" should be among the FFDHE groups.
+All the default groups and EC curves should sufficiently strong to make +"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the +OpenSSL name for "secp256r1", a.k.a. "P-256") should be among the enabled EC +curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups.
This feature is available in Postfix 3.8 and later, when it is compiled and linked with OpenSSL 3.0 or later.
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 91beac06d..7e367f164 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -13984,21 +13984,27 @@ Postfix >= 3.4. See \fBSSL_CTX_set_options\fR(3). .PP This feature is available in Postfix 2.8 and later. .SH tls_eecdh_auto_curves (default: see "postconf \-d" output) -The prioritized list of elliptic curves supported by the Postfix -SMTP client and server. These curves are used by the Postfix SMTP -server when "smtpd_tls_eecdh_grade = auto". The selected curves must be -implemented by OpenSSL and be standardized for use in TLS (RFC 8422). -It is unwise to list only "bleeding\-edge" curves supported by a small -subset of clients. The default list is suitable for most users. +The prioritized list of elliptic curves, that should be enabled in the +Postfix SMTP client and server. These are used by the Postfix SMTP server when +"smtpd_tls_eecdh_grade = auto". The selected curves should be implemented +by OpenSSL and be standardized for use in the TLS "supported groups" extension +(RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and +"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P\-256"). The default +list is suitable for most users. .PP -Postfix skips curve names that are unknown to OpenSSL, or that -are known but not yet implemented. This makes it possible to -"anticipate" support for curves that should be used once they become -available. In particular, in some OpenSSL versions, the new RFC -8031 curves "X25519" and "X448" may be known by name, but ECDH -support for either or both may be missing. These curves may appear -in the default value of this parameter, even though they'll only -be usable with later versions of OpenSSL. +On the client side, the first curve listed will be used to construct the +client's initial TLS 1.3 "keyshare". If this is not supported by the server, +the TLS handshake may require an additional round\-trip after the server issues +a HelloRetryRequest (HRR) indicating a suitable mutually supported curve. +.PP +Postfix skips curve names that are unknown to OpenSSL, or that are known +but not yet implemented. This makes it possible to "anticipate" support for +curves that should be used once they become available, or to deploy the same +setting on a server "farm" where not all servers support the same curves. +.PP +As of Postfix 3.10, when compiled with OpenSSL 3.0 or later, the "curve" +names can be more general key encapsulation mechanisms (KEMs), and/or may be +loaded from an external "provider" (via a suitable tls_config_file). .PP See also the "tls_ffdhe_auto_groups" parameter, which supports customizing the list of FFDHE groups enabled with TLS 1.3. That setting @@ -14115,10 +14121,10 @@ EC key agreement in OpenSSL 3.0 and later. Note that at least one of this is required by OpenSSL 3.0. If both are inadvertently set empty, Postfix will fall back to the compiled\-in defaults. .PP -All the default groups and EC curves should sufficiently strong -to make "pruning" the defaults unwise. At a minimum, "X25519" and -"P\-256" (a.k.a. "prime256v1") should be among the enabled EC curves, -while "dhe2048" and "dhe3072" should be among the FFDHE groups. +All the default groups and EC curves should sufficiently strong to make +"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the +OpenSSL name for "secp256r1", a.k.a. "P\-256") should be among the enabled EC +curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups. .PP This feature is available in Postfix 3.8 and later, when it is compiled and linked with OpenSSL 3.0 or later. diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 24b8295f2..d0f3bd145 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -13364,21 +13364,27 @@ parameter. See there for details. %PARAM tls_eecdh_auto_curves see "postconf -d" output -The prioritized list of elliptic curves supported by the Postfix -SMTP client and server. These curves are used by the Postfix SMTP -server when "smtpd_tls_eecdh_grade = auto". The selected curves must be -implemented by OpenSSL and be standardized for use in TLS (RFC 8422). -It is unwise to list only "bleeding-edge" curves supported by a small -subset of clients. The default list is suitable for most users.
+The prioritized list of elliptic curves, that should be enabled in the +Postfix SMTP client and server. These are used by the Postfix SMTP server when +"smtpd_tls_eecdh_grade = auto". The selected curves should be implemented +by OpenSSL and be standardized for use in the TLS "supported groups" extension +(RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and +"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256"). The default +list is suitable for most users.
-Postfix skips curve names that are unknown to OpenSSL, or that -are known but not yet implemented. This makes it possible to -"anticipate" support for curves that should be used once they become -available. In particular, in some OpenSSL versions, the new RFC -8031 curves "X25519" and "X448" may be known by name, but ECDH -support for either or both may be missing. These curves may appear -in the default value of this parameter, even though they'll only -be usable with later versions of OpenSSL.
+On the client side, the first curve listed will be used to construct the +client's initial TLS 1.3 "keyshare". If this is not supported by the server, +the TLS handshake may require an additional round-trip after the server issues +a HelloRetryRequest (HRR) indicating a suitable mutually supported curve.
+ +Postfix skips curve names that are unknown to OpenSSL, or that are known +but not yet implemented. This makes it possible to "anticipate" support for +curves that should be used once they become available, or to deploy the same +setting on a server "farm" where not all servers support the same curves.
+ +As of Postfix 3.10, when compiled with OpenSSL 3.0 or later, the "curve" +names can be more general key encapsulation mechanisms (KEMs), and/or may be +loaded from an external "provider" (via a suitable tls_config_file).
See also the "tls_ffdhe_auto_groups" parameter, which supports customizing the list of FFDHE groups enabled with TLS 1.3. That setting @@ -13420,10 +13426,10 @@ EC key agreement in OpenSSL 3.0 and later. Note that at least one of this is required by OpenSSL 3.0. If both are inadvertently set empty, Postfix will fall back to the compiled-in defaults.
-All the default groups and EC curves should sufficiently strong -to make "pruning" the defaults unwise. At a minimum, "X25519" and -"P-256" (a.k.a. "prime256v1") should be among the enabled EC curves, -while "dhe2048" and "dhe3072" should be among the FFDHE groups.
+All the default groups and EC curves should sufficiently strong to make +"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the +OpenSSL name for "secp256r1", a.k.a. "P-256") should be among the enabled EC +curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups.
This feature is available in Postfix 3.8 and later, when it is compiled and linked with OpenSSL 3.0 or later.
diff --git a/postfix/proto/stop b/postfix/proto/stop index ec9542f1c..03c799cfa 100644 --- a/postfix/proto/stop +++ b/postfix/proto/stop @@ -1615,3 +1615,11 @@ milterfrom canonicalization Orlitzky Typofix +Deduplicate +KEM +HelloRetryRequest +HRR +KEMs +kex +keyshare +pkg diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history index 3e1bff20c..70a09313a 100644 --- a/postfix/proto/stop.double-history +++ b/postfix/proto/stop.double-history @@ -130,3 +130,4 @@ proto proto mysql_table proto pgsql_table proto ldap_table unimplemented commands in the SMTP server File smtpd smtpd c cleanup cleanup h cleanup cleanup_extracted c File postcat postcat c + Files src tls tls h src tls tls_dh c src tls tls_misc c diff --git a/postfix/proto/stop.spell-history b/postfix/proto/stop.spell-history index e28ab4175..0b5f5be48 100644 --- a/postfix/proto/stop.spell-history +++ b/postfix/proto/stop.spell-history @@ -82,3 +82,4 @@ mozilla Dilyan Palauzov pkgconf +testfiles diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 1f03b0b34..1d61fde53 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3409,13 +3409,13 @@ extern char *var_tls_null_clist; #else #define DEF_TLS_EECDH_AUTO_3 "" #endif -#if defined(SN_secp521r1) && defined(NID_secp521r1) -#define DEF_TLS_EECDH_AUTO_4 SN_secp521r1 " " +#if defined(SN_secp384r1) && defined(NID_secp384r1) +#define DEF_TLS_EECDH_AUTO_4 SN_secp384r1 #else #define DEF_TLS_EECDH_AUTO_4 "" #endif -#if defined(SN_secp384r1) && defined(NID_secp384r1) -#define DEF_TLS_EECDH_AUTO_5 SN_secp384r1 +#if defined(SN_secp521r1) && defined(NID_secp521r1) +#define DEF_TLS_EECDH_AUTO_5 SN_secp521r1 " " #else #define DEF_TLS_EECDH_AUTO_5 "" #endif diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 52a5cc1ad..95fbd9bfd 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20240917" +#define MAIL_RELEASE_DATE "20240923" #define MAIL_VERSION_NUMBER "3.10" #ifdef SNAPSHOT diff --git a/postfix/src/tls/Makefile.in b/postfix/src/tls/Makefile.in index 4b562b3fb..2e5bbd3d8 100644 --- a/postfix/src/tls/Makefile.in +++ b/postfix/src/tls/Makefile.in @@ -207,6 +207,7 @@ tls_dane.o: ../../include/vstring.h tls_dane.o: tls.h tls_dane.o: tls_dane.c tls_dh.o: ../../include/argv.h +tls_dh.o: ../../include/been_here.h tls_dh.o: ../../include/check_arg.h tls_dh.o: ../../include/dns.h tls_dh.o: ../../include/mail_params.h diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index 3ec41ba36..406246fd5 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -123,6 +123,15 @@ extern const char *str_tls_level(int); #define TLS_PEEK_PEER_CERT(ssl) SSL_get_peer_certificate(ssl) #define TLS_FREE_PEER_CERT(x) X509_free(x) #define tls_set_bio_callback BIO_set_callback +#endif + +#if OPENSSL_VERSION_PREREQ(3,2) +#define TLS_GROUP_NAME(ssl) SSL_get0_group_name(ssl) +#elif OPENSSL_VERSION_PREREQ(3,0) +#define TLS_GROUP_NAME(ssl) \ + SSL_group_to_name((ssl), SSL_get_negotiated_group(ssl)) +#else +#define TLS_GROUP_NAME(ssl) ((const char *)0) #endif /* diff --git a/postfix/src/tls/tls_dh.c b/postfix/src/tls/tls_dh.c index f47b95461..6165b9390 100644 --- a/postfix/src/tls/tls_dh.c +++ b/postfix/src/tls/tls_dh.c @@ -75,6 +75,7 @@ /* * Global library */ +#include