On Sun, May 18, 2025 at 10:57:38PM +1000, Viktor Dukhovni via mailop wrote:
> On Sun, May 18, 2025 at 03:29:50AM -0700, Dan Mahoney wrote:
>
> > Maybe I’m late to the game here, but is there code in OpenSSL or in
> > Postfix, that will only let it either present, or accept, a cert that
> > has the client EKU as a client certificate?
>
> IIRC OpenSSL will only accept a TLS client certificate if the EKU
> extension is missing, or if it includes TLS client authentication.
>
> > (I mean, perhaps this is better asked on postfix-users, I’m sure
> > there’s overlap between here and there).
>
> The check is in OpenSSL.
The error in question is not automatically fatal, it precludes
the certificate being verified:
verify error:num=26:unsuitable certificate purpose
but the if the server accepts client certs based on just the key or cert
fingerprint, ignoring PKIX trust, the connection completes.
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
