Hi >This week I upgraded one of my OpenSMTPD email servers to OpenBSD >5.6/OpenSMTPD 5.4.3 and all of a sudden I started having all kinds of TLS >cert verification interoperability problems with my existing FreeBSD >OpenSMTPD 5.4.2 server. > >I was pulling my hair out trying to find out what heck was going on. After >much flailing and gnashing of teeth I finally found the answer. > >The CAcert root was pulled from OpenBSD 9 months ago, due to "strict >requirements on >redistribution". >http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/Attic/cert.pem?rev=1.24&content-type=text/x-cvsweb-markup > >This really sucks, because now I have setup my own Root CA for all my >private facing TLS only email servers or fork over yet more $$ to the >worthless commercial cert racket. > >I know this wasn't anything directly caused by OpenSMTPD, but if anyone >else is using CAcert.org certs and you're thinking about upgrading from >OpenBSD 5.5 to 5.6, watch out for this.
If you only care about local interoperation why are you using an externally provided root cert, why not generate your own? I'll admit I haven't upgraded to 5.6 yet (and therefore to libressl) but under the old (openssl) regime it was easy enough to add your own root certificates to the main stash (or indeed add the CAcert.org one manually). Regards JC -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
