DevHeads.net

Postings by Viktor Schneider

Disable SSL/TLS renegotiation

Hello postfix-users,

While checking the SSL configuration of a Postfix server, I noticed that
so-called "Client-initiated secure renegotiation" is available at
Postfix by default.
You can verify it with following openssl command and press "R" once the
connection is successfully established:

openssl s_client -connect <hostname/IP>:25 -starttls smtp

250 DSN
R
RENEGOTIATING
depth=2 C = US, O = XXX, OU = <a href="http://www.xxx.com" title="www.xxx.com">www.xxx.com</a>, CN = XXX Root CA
verify return:1
depth=1 C = US, O = XXX, OU = <a href="http://www.xxx.com" title="www.xxx.com">www.xxx.com</a>, CN = XXX Server CA
verify return:1
depth=0 C = XX, ST = XXX, L = XXX, O = XX, CN = XXX
verify return: