DevHeads.net

Disable TLS client-initiated renegotiation with postfix

In my main.cf I have"tls_ssl_options=NO_RENEGOTIATION" but when I use the
mailserver verification option from <a href="https://internet.nl" title="https://internet.nl">https://internet.nl</a> I get the report
that TLS client-initiated renegotiation is not disabled and that therefore
my postfix setup is prone to a DOS attack by means of CPU resource
starvation.

1. Is this a false positive?
2. If it is indeed an issue, how to disable TLSA client-initiated
renegotiation with postfix?

Cheers

Comments

Re: Disable TLS client-initiated renegotiation with postfix

By Viktor Dukhovni at 06/08/2019 - 05:20

Perhaps not.

You need at least OpenSSL 1.1.1 for that option to have any effect.
From the SSL_CTX_set_options(3) manpage:

HISTORY
...
The SSL_OP_PRIORITIZE_CHACHA and SSL_OP_NO_RENEGOTIATION options were
added in OpenSSL 1.1.1.

Likely your OpenSSL version is older.