Re: Excessive CertificateRequest messages when CAfile is configured

On Mon, Jan 30, 2012 at 6:23 PM, Viktor Dukhovni
<[EMAIL PROTECTED]> wrote:
>> No patch is required, users should not configure huge CAfiles.

CApath is harder for people to use and so they often don't. It looks
like a standard Ubuntu install has a hashed directory while Fedora
doesn't. The hash function also changes between OpenSSL 0.9.8 and
1.0.0.

I agree that this is a misconfiguration, but it seems that people are
getting it wrong. I don't personally have a problem with it, it's just
something that I observed.

> If there is a compelling case for customizing the CA list separately
> from CAfile, the right interface would I think not be a boolean to
> suppress the CAfile, but rather a separate parameter to specify the
> CAs to send, which defaults to "$smtpd_tls_CAfile".

Yep, that makes sense to. Happy to rework the patch if folks like
that, although I suspect that a real Postfix developer would throw it
away and do it right in either case.


Cheers

AGL

-- 
Adam Langley [EMAIL PROTECTED] http://www.imperialviolet.org