On Mon, May 23, 2016 at 09:03:47AM +0100, John Cox wrote:
> Hi
>
> >Hi,
> >
> >I had misunderstood your mail and the issue when I first read this
> >so here's a new answer ;-)
> >
> >
> >On Tue, May 17, 2016 at 08:47:09AM +0100, John Cox wrote:
> >> Hi
> >>
> >> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS
> >> validation errors in the headers:
> >>
> >> TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
> >> bits=256 verify=NO
> >>
> >> Prior to the upgrade I would get verify=YES. (I think it was the
> >> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that
> >> did it - it was certainly about that time)
> >>
> >> I have now upgraded OpenSMTPD to the current 5.9.2 release and that
> >> makes no difference.
> >>
> >
> >Following suggestions from one of ourr libressl hackers we now only request
> >client certificate when 'tls-require verify' is specified.
> >
> >You can see the commit and rationale here:
> >
> >
> > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl_smtpd.c?rev=1.10&content-type=text/x-cvsweb-markup
> >
> >
> >verify=NO is the default, the only cases where you'll get another value
> >is if you requested verify and it succeeded.
>
> OK - Well at least it is working as intended.
>
> Can you (or they) explain the rationale behind this decision? I liked
> the old behaviour. Could I have an option to turn it on again (global
> or otherwise) please? I find more info is always useful when trying
> to work out what is going on.
>
yes, the rationale is explained in the commit log:
Only enable SSL_VERIFY_PEER when the verify option is set on a listener.
Always enabling SSL_VERIFY_PEER unnecessarily increases the number of
messages/bytes in the TLS handshake and increases our attack surface,
since we request and then process client certificates.
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
