Ken Hornstein <[email protected]> wrote: >> > Fair enough; I'm not saying that the protocol doesn't exist, it just >> > seems like it's extremely uncommon. BTW, does that require the TLS >> > client EKU in the client certificate? It seems like that's going >> away > from certificates issued by most public CAs, at least ones that >> want to > be part of the Chrome root certificate program. >> >> I don't care, I pin the certificate on the SMTP relay via fingerprint.
> Actually, I think you MIGHT need to care; by default the OpenSSL
> library will reject a client certificate presented in a TLS exchange
> unless it contains the TLS client certificate EKU. You need to write a
It's hasn't bit me yet.
Viktor K works on both OpenSSL and Postfix... so if anyone could bash it
right, I think he could...
dyas-[/etc/postfix](3.1.3) mcr 4814 %vc dooku.crt
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
No EKUs. No EKU extension means no restrictions :-)
signature.asc
Description: PGP signature
