unknown tls_ssl_options value "tlsext_padding"

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

unknown tls_ssl_options value "tlsext_padding"

A. Schulze
Hello,

postfix-3.4.4 linked with openssl-1.1.1b

$ postconf tls_ssl_options
tls_ssl_options = no_compression, tlsext_padding

produce such log:
Mar 30 21:04:12 danube postfix/smtpd[9075]: warning: unknown tls_ssl_options value "tlsext_padding" in "no_compression, tlsext_padding"

while it does make no sense, I placed all options [1] and still get only errors regarding tlsext_padding:
Mar 30 21:10:48 danube postfix/smtpd[9222]: warning: unknown tls_ssl_options value "TLSEXT_PADDING" in "ENABLE_MIDDLEBOX_COMPAT, LEGACY_SERVER_CONNECT, NO_TICKET, NO_RENEGOTIATION, NO_SESSION_RESUMPTION_ON_RENEGOTIATION, PRIORITIZE_CHACHA, TLSEXT_PADDING"

[1] http://www.postfix.org/postconf.5.html#tls_ssl_options

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: unknown tls_ssl_options value "tlsext_padding"

John Fawcett
On 30/03/2019 21:20, A. Schulze wrote:

> Hello,
>
> postfix-3.4.4 linked with openssl-1.1.1b
>
> $ postconf tls_ssl_options
> tls_ssl_options = no_compression, tlsext_padding
>
> produce such log:
> Mar 30 21:04:12 danube postfix/smtpd[9075]: warning: unknown tls_ssl_options value "tlsext_padding" in "no_compression, tlsext_padding"
>
> while it does make no sense, I placed all options [1] and still get only errors regarding tlsext_padding:
> Mar 30 21:10:48 danube postfix/smtpd[9222]: warning: unknown tls_ssl_options value "TLSEXT_PADDING" in "ENABLE_MIDDLEBOX_COMPAT, LEGACY_SERVER_CONNECT, NO_TICKET, NO_RENEGOTIATION, NO_SESSION_RESUMPTION_ON_RENEGOTIATION, PRIORITIZE_CHACHA, TLSEXT_PADDING"
>
> [1] http://www.postfix.org/postconf.5.html#tls_ssl_options
>
> Andreas
>
It looks like an error in the documentation. TLSEXT_PADDING can be
specified in tls_disable_workarounds to turn the feature off. It cannot
be specified (and is not needed) in tls_ssl_options. If you don't
specify it in tls_disable_workarounds it will be enabled.

John