On 20/01/14 17:35, Viktor Dukhovni wrote:
> In Postfix we recommend the following:
>
> - Don't request client certificates on the default SMTP port.
>
Why? Requesting client certs is not a bad idea... my troubles aside.
> - Configure a short SMTP server CAfile (possibly empty), at least with
> OpenSSL, only the CAfile authority subject DNs are added to the client
> certificate request.
>
> # Typically empty!
> smtpd_tls_CAfile =
>
> - If the SMTP server needs to validate client certificates against a
> set of trusted authorities use a CApath directory for that. These
> are not included in the client certificate request.
>
> smtpd_tls_CApath = /some/certs/directory
>
> Don't know how this translates to Exim, but there are likely similar
> configuration settings. Postfix by default ignores the default CA
> cert locations compiled into OpenSSL. Only CAs explicitly designated
> by the user are used.
For OpenSSL it's the same. But using a path instead of the usually provided
ca-bundle.crt is a little bit complicated. For GnuTLS
gnutls_certificate_send_x509_rdn_sequence(ctx, 1) has to be used to disable
sending the DN list.
Don't know if a option should be added to do it for both the same way. Not
calling SSL_CTX_set_client_CA_list() works for OpenSSL.
Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> |
http://www.blafasel.at/
Vienna University Computer Center | Austria
