Re: [exim] massive increase in SSL handshake failures after …

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] massive increase in SSL handshake failures after root-CA update
On Mon, Jan 20, 2014 at 11:57:07PM +0100, Wolfgang Breyha wrote:

> On 20/01/14 17:35, Viktor Dukhovni wrote:
> > In Postfix we recommend the following:
> >
> >     - Don't request client certificates on the default SMTP port.

> >
>
> Why? Requesting client certs is not a bad idea... my troubles aside.


Because asking for client certificates tickles bugs in client
implementations, and unlike MSAs with client cert based access
rules, MX hosts accept mail from everyone, even cleartext clients,
so client certs are not useful (everything works the same or better
without them).

-- 
    Viktor.