On Mon, May 23, 2016 at 10:19:42AM +0100, John Cox wrote:
> Hi
>
> > [snip]
> >yes, the rationale is explained in the commit log:
> >
> > Only enable SSL_VERIFY_PEER when the verify option is set on a listener.
> >
> > Always enabling SSL_VERIFY_PEER unnecessarily increases the number of
> > messages/bytes in the TLS handshake and increases our attack surface,
> > since we request and then process client certificates.
>
> Well I guess I disagree with the "unnecessarily" there, but thanks for
> the info. If I got together the effort to build a patch that gives an
> option to restore the old behaviour would:
>
> (a) there be any chance of the patch being accepted (i.e. is it
> against policy to allow this option to be enabled)
> (b) you prefer it to be a global or per-connection option and what
> would you like the syntax to be?
>
> (No guarantees that I will be able to find the time but given it is
> functionality that I want I guess I should try and put in the effort)
>
well, one way the patch would be accepted is if it adds an optional
check feature so that:
listen on [...] tls check
listen on [...] tls-require check
this would be optional and require explicit setting, it's just not going
to be the default setup.
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
