On Mon, May 23, 2016 at 10:19:42AM +0100, John Cox wrote: > Hi > > > [snip] > >yes, the rationale is explained in the commit log: > > > > Only enable SSL_VERIFY_PEER when the verify option is set on a listener. > > > > Always enabling SSL_VERIFY_PEER unnecessarily increases the number of > > messages/bytes in the TLS handshake and increases our attack surface, > > since we request and then process client certificates. > > Well I guess I disagree with the "unnecessarily" there, but thanks for > the info. If I got together the effort to build a patch that gives an > option to restore the old behaviour would: > > (a) there be any chance of the patch being accepted (i.e. is it > against policy to allow this option to be enabled) > (b) you prefer it to be a global or per-connection option and what > would you like the syntax to be? > > (No guarantees that I will be able to find the time but given it is > functionality that I want I guess I should try and put in the effort) >
well, one way the patch would be accepted is if it adds an optional check feature so that: listen on [...] tls check listen on [...] tls-require check this would be optional and require explicit setting, it's just not going to be the default setup. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org