On 11/08/2014 04:29 AM, Viktor Dukhovni wrote: > In Postfix side, we'd probably need a key + chain database to > support SNI, I don't think it is wise to expose keypairs to > post-chroot privilege-reduced SMTP servers, or to have tlsmgr(8) > proxy access to keypairs for such servers.
You've considered a lot here that I haven't. Any particular reason, though, why it's bad to put the keys in the chroot? > The database driver in question has to support large objects, in > the form of private key + certificate + chain. Users would "compile" > their PEM chain files to add them to the database, signally which > domains and ".example.com" parent domains the chain should apply > to. One thing to consider here is that a user might have the same chain (with the exception of the final cert) for most, or all of his certs. As an example, say I get rapidssl certs for all 10 of my domains. The current rapidssl chain is four certs long, so we would have to hold a total of 30 certs in memory (we don't hold the root Equifax cert) if we hold the entire chain for each cert, but we only, actually, have 12 unique certs, so we've more than doubled the amount of space needed to hold those. Just something to consider on the implementation side. Peter
