Re: Client Auth certificates, threat or menace?

It appears that Claus A�mann  <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> said:

John Levine  wrote:
>

The claim, which I'm not sure I believe, is that the calls to openssl
have default values that want the client flag.

>
Maybe you can give it a try? Or those who make the claim can show
the problem?

I was hoping you or someone were familiar enough with the code that we didn't have to do experiments.

It seems to be real based on the openssl doc:
>
CERTIFICATE EXTENSIONS
      The -purpose option checks the certificate extensions and
      determines what the certificate can be used for. The actual
      checks done are rather complex and include various hacks and
      workarounds to handle broken certificates and software.
...
!      The extended key usage extension places additional restrictions
!      on the certificate uses. If this extension is present (whether
!      critical or not) the key can only be used for the purposes
!      specified.
>
      A complete description of each test is given below. The
      comments about basicConstraints and keyUsage and V1 certificates
      above apply to all CA certificates.
>
      SSL Client
   The extended key usage extension must be absent or include
   the "web client authentication" OID.  keyUsage must be
   absent or it must have the digitalSignature bit set.
   Netscape certificate type must be absent or it must have
   the SSL client bit set.

Right.  It would make sense to look for the client extension when checking a cert
presented for SMTP AUTH, otherwise not.  Any idea whether the code does that?

--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly