On 6. Feb 2025, at 13.36, Stuart Henderson via dovecot <dovecot@dovecot.org> wrote:
On 2025-01-29, Timo Sirainen via dovecot <dovecot@dovecot.org> wrote:
On 25. Jan 2025, at 22.29, Brad Smith via dovecot <dovecot@dovecot.org> wrote:
Test building 2.4 I see the last commit to the SSL code before the release went out broke building with LibreSSL..
https://github.com/dovecot/core/commit/77d50a6b5e75796896e8e5b437783a9949790...
CC iostream-openssl.lo iostream-openssl.c:756:55: warning: unused parameter 'ssl_io' [-Wunused-parameter] openssl_iostream_get_compression(struct ssl_iostream *ssl_io) ^ iostream-openssl.c:893:4: error: use of undeclared identifier 'SSL_OP_NO_RENEGOTIATION' SSL_OP_NO_RENEGOTIATION)) {
Well, the question is then whether LibreSSL does renegotiation always or never with <TLSv1.3? That determines whether we disable channel binding entirely with LibreSSL + <TLSv1.3 or always allow it.
SSL_OP_NO_CLIENT_RENEGOTIATION probably does what you want.
I saw that, but I'm not familiar enough with OpenSSL / LibreSSL to know for sure. So I just played safe and made it not support channel binding with TLS v1.2 and older. Probably no client would try to do that anyway.