On Wed, Sep 13, 2017 at 09:09:36AM +0300, Dominic Raferd wrote:
> On 11 September 2017 at 19:25, Viktor Dukhovni <postfix-us...@dukhovni.org>
> wrote:
>
> - what do I specify for the CAfile?
That depends on where the operating system distribution squirrels
away the usual root CA certificates. You can typically find out
where OpenSSL looks by default, e.g.
$ openssl version -d
OPENSSLDIR: "/etc/ssl"
which means that the CAfile defaults to "/etc/ssl/cert.pem" and
CApath to "/etc/ssl/certs". You might find the requisite root
CA certificates "there" (wherever "openssl version -d" reports).
A more precise choice would be a file with the specific root CA
certificate that you expect to issue the certificate of the servers
you want to test (presumably your own, so you'd know which CAs to
expect).
> - does this check against the certificates being offered both by Postfix
> and Dovecot (which I use for SASL) or just one of them and if so which one?
The bash code in question connects to SMTP servers (-starttls smtp).
The s_client(1) CLI also supports "-starttls imap" (STARTTLS over
IMAP on port 143) and of course can do an immediate TLS handshake
(for IMAP over TLS on port 993) so you could choose a suitable port
and just modify or delete the "-starttls smtp" option.
For OpenSSL 1.1.0 the bash script could also be enhanced to verify
DANE TLSA records (obtained via dig or similar).
The bash gymnastics serve two purposes:
1. Avoid temporary files that might need fragile cleanup code.
2. Capture stderr and only output such diagnostics on error.
The script would have been a lot simpler if I were willing have it
be noisy even on success and leak temp files.
--
Viktor.
