Re: [exim] massive increase in SSL handshake failures after …

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: exim-users
Subject: Re: [exim] massive increase in SSL handshake failures after root-CA update
On 20/01/14 17:35, Viktor Dukhovni wrote:
> In Postfix we recommend the following:
>
>     - Don't request client certificates on the default SMTP port.

>


Why? Requesting client certs is not a bad idea... my troubles aside.

>     - Configure a short SMTP server CAfile (possibly empty), at least with
>       OpenSSL, only the CAfile authority subject DNs are added to the client
>       certificate request.

>
>     # Typically empty!
>     smtpd_tls_CAfile = 

>
>     - If the SMTP server needs to validate client certificates against a
>       set of trusted authorities use a CApath directory for that.  These
>       are not included in the client certificate request.

>
>     smtpd_tls_CApath = /some/certs/directory

>
> Don't know how this translates to Exim, but there are likely similar
> configuration settings. Postfix by default ignores the default CA
> cert locations compiled into OpenSSL. Only CAs explicitly designated
> by the user are used.


For OpenSSL it's the same. But using a path instead of the usually provided
ca-bundle.crt is a little bit complicated. For GnuTLS
gnutls_certificate_send_x509_rdn_sequence(ctx, 1) has to be used to disable
sending the DN list.

Don't know if a option should be added to do it for both the same way. Not
calling SSL_CTX_set_client_CA_list() works for OpenSSL.

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> | http://www.blafasel.at/
Vienna University Computer Center | Austria