On Fri, Sep 27, 2019 at 05:01:03PM +0200, Emmanuel Fusté wrote:
> Next, more a feature request: I have some custom transports defined for
> different/custom client side TLS certs and conf.
Client-side TLS certs typically have private keys that only root
can read, but tlsproxy(8) (optionally) chroots and then drops privs
at startup, after loading any default client-side keys/certs.
For this, we'd need a variant of the server-side SNI code, with the
keys and certs for various destinations are stored in a table that
is opened in "pre-jail" initialization while the process is still
running as root. The client code would then load appropriate
destination-specific keys from the table.
Just to be on the safe side with chroot, the CAfile and CApath are
also required to be the same for all tlsproxy clients, perhaps
this can be relaxed, as these files don't contain secrets, and
should be readable by unprivileged processes. With chroot jails,
it would be the administrator's responsibility to ensure that
suitable CAfile/CApath exist in the jail ($queue_directory).
> But we presently have no way to specify a different tlsproxy instance
> for smtp as for cleanup for smtpd. So for now I must disable TLS
> connection reuse on these transports.
Wietse answered this part.
--
Viktor.
