On Tue, Jul 29, 2014 at 01:42:18PM +0000, Viktor Dukhovni wrote:
> There were IIRC (also?) some issues with qmail, which is not updated
> terribly frequently. TLS_README says:
>
> Note, that unless client certificates are used to allow greater access to
> TLS authenticated clients, it is best to not ask for client certificates
> at
> all, as in addition to increased overhead some clients (notably in some
> cases qmail) are unable to complete the TLS handshake when client
> certificates are requested.
>
> This was long ago, someone might need to configure a few versions
> of qmail with TLS and test... No idea which versions of qmail are
> still in use.
A related question is whether we should always (sometimes?, never?)
set the client CA list to match the trusted CA list. The list of
DNs is included in the server's SSL HELLO as a hint of which
certificate to choose among many. I am not aware of any MTA that
uses this 'hint", typically the sole client certificate is used
unconditionally. Thus the client CA list can perhaps be left empty.
What is not clear is whether any MUAs need the "hint", and whether
MTAs (say old versions of qmail) would interoperate better with an
empty CA list than not.
Current Postfix behaviour is that the list of CAs sent to the client
is equal to the list of trusted CAs in smtpd_tls_CAfile (but not
CApath).
--
Viktor.
