Hi >Hi, > >I had misunderstood your mail and the issue when I first read this >so here's a new answer ;-) > > >On Tue, May 17, 2016 at 08:47:09AM +0100, John Cox wrote: >> Hi >> >> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS >> validation errors in the headers: >> >> TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 >> bits=256 verify=NO >> >> Prior to the upgrade I would get verify=YES. (I think it was the >> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that >> did it - it was certainly about that time) >> >> I have now upgraded OpenSMTPD to the current 5.9.2 release and that >> makes no difference. >> > >Following suggestions from one of ourr libressl hackers we now only request >client certificate when 'tls-require verify' is specified. > >You can see the commit and rationale here: > > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl_smtpd.c?rev=1.10&content-type=text/x-cvsweb-markup > > >verify=NO is the default, the only cases where you'll get another value >is if you requested verify and it succeeded.
OK - Well at least it is working as intended. Can you (or they) explain the rationale behind this decision? I liked the old behaviour. Could I have an option to turn it on again (global or otherwise) please? I find more info is always useful when trying to work out what is going on. Thanks JC -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
