--- postfix-3.3.1/man/man5/postconf.5
+++ postfix-3.3.2/man/man5/postconf.5
@@ -8076,6 +8077,9 @@
"SSLv3"). The latest patch levels of Postfix >= 2.6, and all
versions of Postfix >= 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2".
+.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+this can be disabled, if need be, via "!TLSv1.3".
.PP
At the dane and
dane\-only security
@@ -8391,6 +8397,9 @@
and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
versions of Postfix >= 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2"
+.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+this can be disabled, if need be, via "!TLSv1.3".
.PP
To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
@@ -11669,6 +11679,9 @@
versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
"TLSv1.2".
.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+this can be disabled, if need be, via "!TLSv1.3".
+.PP
Example:
.PP
.nf
@@ -11697,6 +11711,9 @@
and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
"TLSv1.2".
+.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+this can be disabled, if need be, via "!TLSv1.3".
.PP
To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
--- postfix-3.3.1/proto/postconf.proto
+++ postfix-3.3.2/proto/postconf.proto
@@ -11208,6 +11210,9 @@
"SSLv3"). The latest patch levels of Postfix ≥ 2.6, and all
versions of Postfix ≥ 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2". </p>
+
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+this can be disabled, if need be, via "!TLSv1.3". </p>
<p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
<a href="TLS_README.html#client_tls_dane">dane-only</a> security
@@ -11405,6 +11411,9 @@
disabled. The latest patch levels of Postfix ≥ 2.6, and all
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
+
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+this can be disabled, if need be, via "!TLSv1.3". </p>
<p> Example: </p>
@@ -12561,6 +12573,9 @@
and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all
versions of Postfix ≥ 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2"</p>
+
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+this can be disabled, if need be, via "!TLSv1.3". </p>
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
@@ -12593,6 +12609,9 @@
and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
+
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+this can be disabled, if need be, via "!TLSv1.3". </p>
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
--- postfix-3.3.1/src/tls/tls.h
+++ postfix-3.3.2/src/tls/tls.h
@@ -372,10 +415,15 @@
#define SSL_OP_NO_TLSv1_2 0L /* Noop */
#endif
-#ifdef SSL_TXT_TLSV1_3
+ /*
+ * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our
+ * own.
+ */
+#define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3"
+
+#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3)
#define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */
#else
-#define SSL_TXT_TLSV1_3 "TLSv1.3"
#define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */
#undef SSL_OP_NO_TLSv1_3
#define SSL_OP_NO_TLSv1_3 0L /* Noop */
@@ -383,7 +431,7 @@
#define TLS_KNOWN_PROTOCOLS \
( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
- | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
+ | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 )
#define TLS_SSL_OP_PROTOMASK(m) \
((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \
| (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \
--- postfix-3.3.1/src/tls/tls_misc.c
+++ postfix-3.3.2/src/tls/tls_misc.c
@@ -279,7 +306,7 @@
SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
- SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
+ TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
0, TLS_PROTOCOL_INVALID,
};