Mailing List Archive

TLS 1.3 support & more
Hi together,

I've updated my set of djb compliant enhancements in particular for qmail providing the following tools:

a) fehQlibs is a collection of low-level programs used throughout all DJB routines, but now including full IPv6 support.
This is the base of my developments and can be compared with libowfat from Felix von Leitner (fefe).

b) Based on fehQlibs I've updated ucspi-tcp6 to level 1.10.

b) Based on fehQlibs I've released ucspi-ssl to provide TLS 1.3. support together with OpenSSL 1.3 (ucspi-ssl-0.10.6).
It is possible to build ucspi-ssl with OpenSSL 1.1.1 support alongside with your Unix system's older LibreSSL or OpenSSL library. In fact, you may use two different versions of sslserver concurrently.

c) Based on fehQlibs djbdnscurve6 is provided.

d) s/qmail 3.3.22 is available including some minor fixes.
For the forthcoming version - either s/qmail 3.4 or aqmail - fehQlibs will be used as well.

s/qmail as well as my former version of qmail+SPAMCONTROL patch will be TLS 1.3 enabled with ucspi-ssl-0.10.

The basic 'modern' cryptographic routines of OpenSSL 1.1.1 are DJB's curve25519 for the TLS handshake, ChaCha20 as stream cipher together with Poly1305 for AEAD. You may lookup the header of this email to investigate the used TLS protocol + ciphers.

However, as discussed during the development of TLS 1.3, middleboxes may be inferior handling TLS 1.3 traffic and block it while not recognising the new TLS record structure.
s/qmail includes the possibility to mitigate those while using un-encrypted traffic to those sites.

An overview of my current developments and downloads of those packages can be found here:

Though not tested on all existing *iX variants, I tried best to make the SW compatible with *BSD and Linux systems. OpenSSL 1.1.1 does currently not build on OmniOS out-of-the-box.


Dr. Erwin Hoffmann | FEHCom | | PGP Key-Id 7E4034BE