Victor Duchovni a écrit :
>> So this should not be used to verify a server's certificate. In
>> practice, if the file pointed to by smtp_tls_CAfile is a concatenation
>> of CA's certificates, then they are all used to verify the server's
>> certificate.
>
> Yes, smtp_tls_CAfile is used to verify server certificates, you can have
> all the trusted CAs in one file, or as separate (hashed via c_rehash)
> files in the directory named by smtp_tls_CApath.
>
> If your client certificate trust chain is incomplete, OpenSSL will use
> certificates from CAfile to construct the complete trust chain to send
> to the server.
>
Ok, so smtp_tls_CAfile actually has to distinct uses, only one of which
is documented in postconf(5).
(While in the description of smtpd_tls_CAfile it is clear that the file
can be used either to indicate trusted CA's for client's certificate
verification, or for sending the clients the missing items in the trust
chain. Btw the description of smtpd_tls_CAfile sounds very unclear to me
in this respect ("server offers to remote SMTP clients for the purpose
of client certificate verification" : you don't offer a certificate to
someone to allow to verify his own certificate; you either use a trusted
certificate to verify somenone else's certificate, or send him
certificates to allow him to verify yours.)
> If you do configure client certificates (don't if unless you know you
> need them), it is best to place the full trust chain in the client
> certificate file, leaf certificate first, then any intermediate CA
> that signed the leaf cert, and so on up to the root.
>
I need client certificates for TLS-based relaying. Since I'm using
fingerprint verification on the server side, I don't actually need the
certificates to be certified by a CA. But I was annoyed by all the
"could not verify server certificate" messages in the client's log. So I
decided to set up my own private CA. Both the client and server
certificate are signed by this CA, so in my case the trust chain is
actually very short.
>> OTOH, server certificate verification should be done against
>> certificates in the directory indicated by smtp_tls_CApath. For some
>> reason, I didn't manage to get it working (and yes, I ran c_rehash on
>> this directory).
>
> Perhaps your smtp(8) client is chrooted.
>
I don't think it is. I would otherwise not be able to find the file
indicated by smtp_tls_CAfile.
> Perhaps the documentation could be improved, the primary purpose of CA
> is to hold trusted root CA certs, you can choose between a single file
> with multiple certs or a directory with separate certs. The directory
> avoids the cost of loading all the root CAs into memory. If you have a
> lot of root CAs using CApath is more efficient.
>
In my case the files with all trusted CAs is 224K. Is it a problem
concerning efficiency?
Thanks,
Manuel.
