On Mon, Jan 30, 2012 at 6:23 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: >> No patch is required, users should not configure huge CAfiles.
CApath is harder for people to use and so they often don't. It looks like a standard Ubuntu install has a hashed directory while Fedora doesn't. The hash function also changes between OpenSSL 0.9.8 and 1.0.0. I agree that this is a misconfiguration, but it seems that people are getting it wrong. I don't personally have a problem with it, it's just something that I observed. > If there is a compelling case for customizing the CA list separately > from CAfile, the right interface would I think not be a boolean to > suppress the CAfile, but rather a separate parameter to specify the > CAs to send, which defaults to "$smtpd_tls_CAfile". Yep, that makes sense to. Happy to rework the patch if folks like that, although I suspect that a real Postfix developer would throw it away and do it right in either case. Cheers AGL -- Adam Langley a...@imperialviolet.org http://www.imperialviolet.org
