Re: [exim-dev] DANE library for Exim + OpenSSL and upcoming …

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] DANE library for Exim + OpenSSL and upcoming OpenSSL 3.0.0 release.
On Thu, Aug 12, 2021 at 08:59:54PM +0100, Jeremy Harris via Exim-dev wrote:

> On 12/08/2021 15:30, Viktor Dukhovni via Exim-dev wrote:
> > You'd be able to drop the "danessl" library.
>
> You mean, the three source files. No library involved.


Yes, the copy of the library imported into Exim.

> > then let it do all the work.
>
> And lose the observability we currently have. I bet the library
> implementations don't expose that.


I wrote the built-in DANE support in OpenSSL, it provides some
introspection hooks you can call at the conclusion of the handshake
to report on whether DANE happened, and how the peer was matched.

Postfix did not lose any substantive observability when moving
to the OpenSSL built-in DANE support.

> > No, there's no DANE support in LibreSSL. My advice would be to drop
> > LibreSSL support.
>
> Can't; the FreeBSD guys like it.


Perhaps you mean OpenBSD, FreeBSD 12 dropped LibreSSL and went back to
OpenSSL. My home server is FreeBSD.

-- 
    Viktor.