Viktor Dukhovni:
> On Fri, Sep 27, 2019 at 05:01:03PM +0200, Emmanuel Fust? wrote:
>
> > Next, more a feature request: I have some custom transports defined for
> > different/custom client side TLS certs and conf.
>
> Client-side TLS certs typically have private keys that only root
> can read, but tlsproxy(8) (optionally) chroots and then drops privs
> at startup, after loading any default client-side keys/certs.
>
> For this, we'd need a variant of the server-side SNI code, with the
> keys and certs for various destinations are stored in a table that
> is opened in "pre-jail" initialization while the process is still
> running as root. The client code would then load appropriate
> destination-specific keys from the table.
>
> Just to be on the safe side with chroot, the CAfile and CApath are
> also required to be the same for all tlsproxy clients, perhaps
> this can be relaxed, as these files don't contain secrets, and
> should be readable by unprivileged processes. With chroot jails,
> it would be the administrator's responsibility to ensure that
> suitable CAfile/CApath exist in the jail ($queue_directory).
Before implementing multiple TLS profiles in the tlsproxy(8) daemon,
we would have to get rid global libtls settings, and pass their
values through tls_{client,server}_init() calls.
Those global settings may differ between Postfix SMTP clients, and
they cannot be redefined by a tlsproxy client request because that
would affect connections from SMTP clients with different global
settings.
Wietse
