On Mon, Jan 20, 2014 at 02:02:49PM +0100, Wolfgang Breyha wrote:
> I see a massive increase in SSL handshake failures after updating the
> ca-certificates RPM last Friday. I can't tell what exactly happens, but some
> facts:
>
> *) exim-4.82
> *) openssl 1.0.1e
> *) ca-certificates-2013.1.95-65.1.el6_5.noarch
> *) revision till Friday: ca-certificates-2010.63-3.el6_1.5.noarch.rpm
> *) tls_try_verify_hosts = *
> tls_verify_certificates = /etc/pki/tls/cert.pem
In Postfix we recommend the following:
- Don't request client certificates on the default SMTP port.
# default
smtpd_tls_ask_ccert = no
- Optionally request these on a dedicated submission port dedicated for
clients that authenticate via client certs.
# master.cf
2525 inet ... smtpd
-o smtpd_tls_ask_ccert=yes
...
- Configure a short SMTP server CAfile (possibly empty), at least with
OpenSSL, only the CAfile authority subject DNs are added to the client
certificate request.
# Typically empty!
smtpd_tls_CAfile =
- If the SMTP server needs to validate client certificates against a
set of trusted authorities use a CApath directory for that. These
are not included in the client certificate request.
smtpd_tls_CApath = /some/certs/directory
Don't know how this translates to Exim, but there are likely similar
configuration settings. Postfix by default ignores the default CA
cert locations compiled into OpenSSL. Only CAs explicitly designated
by the user are used.
--
Viktor.
