On Monday 29 July 2013, Ludwig Nussel wrote:
Freek de Kruijf wrote:
Op vrijdag 26 juli 2013 09:09:02 schreef Ludwig Nussel:
I'm currently working on that for 13.1¹. Applications are expected to call SSL_CTX_set_default_verify_paths() resp gnutls_x509_trust_list_add_system_trust() to make them use the system certificate store. No package should hardcode /etc/ssl/certs or any bundle file anymore. NSS applications like Firefox need no change. Just install p11-kit-nss-trust instead of mozilla-nss-certs.
Postfix used to have in main.cf two parameters with CApath in it to point to these certs. Now these parameters do not have a value. Should these parameters be replaced by new parameters to indicate the use of the above routine in Postfix?
I'm not into Postfix so no idea how to configure it. I suppose Postfix has a dual role though. When sending mail it acts as client and when receiving mail it acts as server. In the client role it makes sense to have it call SSL_CTX_set_default_verify_paths() so it can authenticate smpts servers in the internet. As server however the CA path usually has a different meaning. It's likely used to restrict what CAs are allowed to authenticate client certificates iow who is allowed to send mail via your server. In that case you may want to only allow e.g. one single custom CA. So unless the server allows you to specify the DNs of permitted CAs you better not use SSL_CTX_set_default_verify_paths() resp /etc/ssl/certs ie provide no default for a CA path in the package.
Good point, there are use cases where you want to use default CAs even for the server but probably we shouldn't set this per default. Allthough it wouldn't be a real problem because "permit_tls_all_clientcerts" is nowhere used by default. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org