[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: Excessive CertificateRequest messages when CAfile is configured Adam Langley Fri Feb 03 07:29:29 2012

On Mon, Jan 30, 2012 at 6:23 PM, Viktor Dukhovni
>> No patch is required, users should not configure huge CAfiles.

CApath is harder for people to use and so they often don't. It looks
like a standard Ubuntu install has a hashed directory while Fedora
doesn't. The hash function also changes between OpenSSL 0.9.8 and

I agree that this is a misconfiguration, but it seems that people are
getting it wrong. I don't personally have a problem with it, it's just
something that I observed.

> If there is a compelling case for customizing the CA list separately
> from CAfile, the right interface would I think not be a boolean to
> suppress the CAfile, but rather a separate parameter to specify the
> CAs to send, which defaults to "$smtpd_tls_CAfile".

Yep, that makes sense to. Happy to rework the patch if folks like
that, although I suspect that a real Postfix developer would throw it
away and do it right in either case.



Adam Langley [EMAIL PROTECTED] http://www.imperialviolet.org