Re: [exim-dev] Should we always load the default trust store…

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-dev
Temat: Re: [exim-dev] Should we always load the default trust store? (was: tls_verify_certificates forced failure vs. empty) string
On Thu, Nov 27, 2014 at 07:01:44PM +0100, Andreas Metzler wrote:

> just to add another piece of the puzzle: Last time I checked
> exim/openssl and exim/gnutls had a major difference in behavior with
> respect to tls_(try)verify_certificates: exim/GnuTLS would send the
> list of acceptable TLS certificates in the SSL handshake. If the list
> is long enough, this breaks interconnectivity.
>
> I do not know whether the code has changed since, though.


With OpenSSL that list (of distinguished names, not full certificates)
is taken from the list of CAs in CAfile, with the CAs in CApath
used only for verification, but not for "hinting".

I don't know what GnuTLS does, but I generally recommend a short
or empty CAfile, with verification-only certificates in CApath.
This also yields a lower memory footprint. In other words,
don't use an in-memory bundle file, use a hashed directory.

-- 
    Viktor.