Eric Rescorla <[email protected]> wrote: > id-kp-serverAuth is actually defined for "TLS WWW server > authentication", so ISTM that using it for an SMTP server is actually > already not really conforming to the Extended Key Usage requirements
This.
%openssl s_client -starttls smtp -showcerts -connect smtp.google.com:25
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=mx.google.com
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f8:bd:33:59:64:31:67:36:10:6e:a8:81:dc:d5:56:de
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Trust Services, CN=WR2
...
X509v3 Extended Key Usage:
TLS Web Server Authentication
I assume that *GOOGLE* will stop using *WEB* server certificates for it's SMTP.
Or, that the GOOGLE Root program, will stop including "GTS Root R1".
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
