Loading...

postfix-devel@postfix.org

[Prev] Thread [Next]  |  [Prev] Date [Next]

Excessive CertificateRequest messages when CAfile is configured Adam Langley Fri Feb 03 07:28:29 2012

When smtpd is configured to ask for client certificates and a CAfile
is configured, then the X509 names of all the CA certificates will be
sent in the CertificateRequest. That's correct behaviour as the names
in a CertificateRequest are intended to guide certificate selection:

http://tools.ietf.org/html/rfc5246#section-7.4.4

However, when CAfile consists of a complete list of public CAs, as
seems quite common, the guidance is rather superfluous and the
CertificateRequest is huge. For example, try:

$ openssl s_client -tls1 -connect mx4-sjl.mta.salesforce.com:25 -starttls smtp
...
SSL handshake has read 23311 bytes and written 332 bytes

A 23KB TLS handshake was probably not what was intended by the administrator.

The attached patch (and I don't know what I'm doing when it comes to
patching Postfix - it's mostly illustrative) disables sending the CA
list by default and adds an option (smtpd_tls_send_cas) to enable.
Although this is a change of behaviour, I think that it's the right
thing to do in most cases.


Cheers

AGL

-- 
Adam Langley [EMAIL PROTECTED] http://www.imperialviolet.org