>> [quote] >> A certificate supplied here must be usable as an SSL client >> certificate and hence pass the "openssl verify -purpose sslclient ..." >> test. > [/quote]
> This (somewhat dated perhaps) sentence assumes that the server will be > "verifying" the certificate (not just using it or its public key > directly as "raw" input for access control). If so, the EKU, if > present, needs to include "clientAuth". But the server may not be > looking to "verify" the certificate relative to some issuer CA chain. >> So my question is, will Postfix still be able to authenticate with the >> certificate if it does not contain the TLS client auth Extended Key >> Usage extension? > The Postfix SMTP client just sends the certificate along, what the > server makes of it is the server's problem. The reason I'm asking is that the line "...hence pass the "openssl verify -purpose sslclient test" was interpreted by me as that the client certificate is not used if this test fails which in my case it fails: openssl verify -verbose -purpose sslclient -CAfile test.pem test.pem error 26 at 0 depth lookup: unsuitable certificate purpose error test.pem: verification failed Whereas sslserver purpose is OK openssl verify -verbose -purpose sslserver -CAfile test.pem test.pem test.pem: OK I just wanted to confirm that Postfix will still use the certificate for client TLS auth even if the "sslclient" test fails. Whether or not O365 accepts it is a different story (it looks like it does but I asked Microsoft for confirmation) Kind regards, Martijn Brinkers
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
