Achieving trusted TLS connection

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Achieving trusted TLS connection

Viktor Dukhovni


> On Feb 1, 2018, at 1:44 PM, Danny Horne <[hidden email]> wrote:
>
> Possibly, do I understand right that I'm going to have to separate all
> cacerts from the bundle files before using rehash?

Yes, but if your OS distribution does not provide a package that handles
all this, perhaps you should just stick with:

  tls_append_default_CA = no
        smtpd_tls_CApath = /etc/pki/tls/certs

which will include the CA bundle, but in a way that won't also leak it
to each client as the list of preferred CAs, which you'd get with
explicitly setting smtpd_tls_CAfile.

The point is that the list of trusted CAs may change from time to time,
and you probably don't want to be stuck with stale copies...

Or just don't ask for client certs! Is it painful enough yet? :-)

--
        Viktor.

12