Re: [exim] Exim 4.88 RC4 uploaded

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] Exim 4.88 RC4 uploaded
On Sat, Nov 19, 2016 at 06:36:38PM +0100, Torsten Tributh wrote:

> > What happens when you try it?
> It will be used the first cert in the new-double chain and only the
> ECDSA Ciphers are visible which match with the first cert.


This is correct. The OpenSSL interface for loading a certificate
and its chain, loads one leaf certificate per call.

To concurrently support multiple algorithms, one must load multiple
chain files (and multiple corresponding private keys). Putting
aside SNI, OpenSSL supports at most one keypair per algorithm.

This is why Postfix has three pairs of cert configuration parameters.

    * smtpd_tls_cert_file, smtpd_tls_key_file
    * smtpd_tls_dcert_file, smtpd_tls_dkey_file
    * smtpd_tls_eccert_file, smtpd_tls_eckey_file


Though, in practice no type constraints are enforced, and one
can store RSA certs in the EC cert file, DSA certs in the
RSA cert file, and RSA certs in the DSA cert file.

The interface should (with 20/20 hindsight) perhaps have been simply
a single list of filename pairs.

The Postfix SMTP server loads each of the three keypairs in turn
when the corresponding configuration parameter is non-empty.

I'll soon have to figure out what to do about X25519 and 448.

-- 
    Viktor.