On Wed, Oct 27, 2010 at 07:20:52PM +0200, Laurent CARON wrote:
> On Wed, Oct 27, 2010 at 01:15:13PM -0400, Victor Duchovni wrote:
> > If the configuration was the same with 2.4.5, it did not appear after
> > the upgrade, rather you were testing/looking harder, and the mix
> > of clients or client software versions may have also changed since
> > you last looked closely. The on-the-wire behaviour of ask_ccert
> > has not changed, and Postfix 2.4 fully supports this feature.
>
> The config is exactly the same and didn't change.
>
> The clients didn't change their config either.
>
> Previous version was a debian package (postfix 2.4.5-4~bpo40+1).
> Maybe a debian customization or patch has something to do with it.
>
> Will do some more tests ASAP.
Did you change OpenSSL versions? The SMTP server's CAfile, extends
the built-in list of CA's used by OpenSSL, so using a newer OpenSSL
installation, can change the mix of CAs sent by the server in a client
cert request. Client behaviour may depend on wether the CA (DN) list is
empty or not, and perhaps on the specific content or length.
--
Viktor.
