Loading...

postfix-devel@postfix.org

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: Excessive CertificateRequest messages when CAfile is configured Viktor Dukhovni Fri Feb 03 07:28:56 2012

On Mon, Jan 30, 2012 at 05:44:00PM -0500, Adam Langley wrote:

> However, when CAfile consists of a complete list of public CAs, as
> seems quite common, the guidance is rather superfluous and the
> CertificateRequest is huge. For example, try:

Don't use a large list of CAs in a CAfile, that's what CApath is for.

        http://www.postfix.org/TLS_README.html#server_cert_key

        ...

        When you configure the Postfix SMTP server to request client
        certificates, the DNs of certificate authorities in $smtpd_tls_CAfile
        are sent to the client, in order to allow it to choose an identity
        signed by a CA you trust. If no $smtpd_tls_CAfile is specified, no
        preferred CA list is sent, and the client is free to choose an
        identity signed by any CA. Many clients use a fixed identity
        regardless of the preferred CA list and you may be able to reduce
        TLS negotiation overhead by installing client CA certificates mostly
        or only in $smtpd_tls_CApath. In the latter case you need not
        specify a $smtpd_tls_CAfile.

No patch is required, users should not configure huge CAfiles.

-- 
        Viktor.