Re: [openssl-users] 'No client certificate CA names sent'
On Tue, Jan 31, 2017 at 08:07:16AM -0700, russellb...@gmail.com wrote: > It was on the client side. I'm running sendmail as a client > to relay mail that originates on my computer through gmail. Gmail's SMTP server, correctly, does not suggest any preferred client CAs. > When I > request a certificate from gmail I get that message in the return > (along with a certificate). It may not matter. Not only does it not matter, it is expected and best practice. > When I send mail through gmail, sendmail reports > 'verify=FAIL'. I hoped to make that not happen. Completely unrelated to the preferred client CA list. Sendmail's TLS support is fairly anaemic, you should probably just ignore this. While it is possible to "verify" the certificate, that's pointless unless you also configure secure matching of the MX hostname against the certificate. Absent DNSSEC (which gmail does not currently support) you'd need to define custom policy for gmail that insists on their current MX hostnames or some fuzzy match thereof. This is much too much work. https://tools.ietf.org/html/rfc7672#section-1.3 For now, opportunistic unauthenticated TLS will do and is what what most SMTP email uses: https://tools.ietf.org/html/rfc7435#section-1.3 https://www.google.com/transparencyreport/saferemail/ > Quoth Mr Viktor Dukhovni: > > > 'https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_client_CA_list.html > > That's the same as the man page I already have. > > 'Just pass a NULL stack.' > > Is there an app with which I can do this or do I have to write > a program? Not that I can't do that. None of this is applicable on the client side. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 'No client certificate CA names sent'
Quoth Mr Benjamin Kaduk: 'That's generally the default server behavior when no CAs are configured for that purpose. But, (1) I thought you were looking at the client side, and (2) how to configure the server depends on what software is used on the server, so there's not much more to say right now.' It was on the client side. I'm running sendmail as a client to relay mail that originates on my computer through gmail. When I request a certificate from gmail I get that message in the return (along with a certificate). It may not matter. It doesn't keep me from sending mail through gmail. I just wanted to understand it. When I send mail through gmail, sendmail reports 'verify=FAIL'. I hoped to make that not happen. Quoth Mr Viktor Dukhovni: 'https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_client_CA_list.html That's the same as the man page I already have. 'Just pass a NULL stack.' Is there an app with which I can do this or do I have to write a program? Not that I can't do that. russell bell -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 'No client certificate CA names sent'
> On Jan 30, 2017, at 11:44 AM, russellb...@gmail.com wrote: > >> it is often wise to send an empty list when requesting client certificates. > > How does one send an empty list? https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_client_CA_list.html Just pass a NULL stack. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 'No client certificate CA names sent'
On 01/30/2017 10:44 AM, russellb...@gmail.com wrote: > Quoth Mr Viktor Dukhovni, 'it is often wise to send an empty > list when requesting client certificates.' > How does one send an empty list? > That's generally the default server behavior when no CAs are configured for that purpose. But, (1) I thought you were looking at the client side, and (2) how to configure the server depends on what software is used on the server, so there's not much more to say right now. -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 'No client certificate CA names sent'
Quoth Mr Viktor Dukhovni, 'it is often wise to send an empty list when requesting client certificates.' How does one send an empty list? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 'No client certificate CA names sent'
> On Jan 29, 2017, at 11:34 AM, russellb...@gmail.com wrote: > > What does this message mean? That I failed to send a client > certificate CA name? That I failed to receive one? I run > > $ openssl s_client -certform gmail.pem -key gmail.key \ > -CAfile cacert.pem -debug -verify 10 -connect smtp.gmail.com:465 > > I don't see the an argument to send a client certificate CA name in > s_client's man page. The list of "client certificate CA names" is optionally sent by servers when requesting client certificates. It is normal for no such list to be sent, and it is often wise to send an empty list when requesting client certificates. All this is controlled on the server side. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users