Re: Excessive CertificateRequest messages when CAfile is configured

On Mon, Jan 30, 2012 at 11:19:51PM +0000, Viktor Dukhovni wrote:
> On Mon, Jan 30, 2012 at 05:44:00PM -0500, Adam Langley wrote:
> 
> > However, when CAfile consists of a complete list of public CAs, as
> > seems quite common, the guidance is rather superfluous and the
> > CertificateRequest is huge. For example, try:
> 
> Don't use a large list of CAs in a CAfile, that's what CApath is for.
> 
>       http://www.postfix.org/TLS_README.html#server_cert_key
> 
>       ...
> 
>       When you configure the Postfix SMTP server to request client
>       certificates, the DNs of certificate authorities in $smtpd_tls_CAfile
>       are sent to the client, in order to allow it to choose an identity
>       signed by a CA you trust. If no $smtpd_tls_CAfile is specified, no
>       preferred CA list is sent, and the client is free to choose an
>       identity signed by any CA. Many clients use a fixed identity
>       regardless of the preferred CA list and you may be able to reduce
>       TLS negotiation overhead by installing client CA certificates mostly
>       or only in $smtpd_tls_CApath. In the latter case you need not
>       specify a $smtpd_tls_CAfile.
> 
> No patch is required, users should not configure huge CAfiles.

If there is a compelling case for customizing the CA list separately
from CAfile, the right interface would I think not be a boolean to
suppress the CAfile, but rather a separate parameter to specify the
CAs to send, which defaults to "$smtpd_tls_CAfile".

Most SMTP servers don't ask for client certs, and those that do, typically
have short CAfiles that list only private-label CAs...

-- 
        Viktor.