Re: adding CA certificates (for use by sendmail)

Claus Aßmann
<INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
writes:

Bjørn Mork  wrote:
>

Note that CACertPath is for validating servers you connect to
(STARTTLS=client), while CACertFile is for validating clients connecting
to you (STARTTLS=server).

>
Please explain why you think this is the case.
SSL_CTX_load_verify_locations(*tls_ctx, cacertfile, cacertpath)
is invoked in inittls() - for server and client side.

Mainly based on experiments with all sorts of combinations.  But looking
at the code also seems to confirm.  The rest of that block is:

               if ((r = SSL_CTX_load_verify_locations(*ctx, cacertfile,
                                                       cacertpath)) == 1)
                {
# if !TLS_NO_RSA && MTA_RSA_TMP_CB
                        if (bitset(TLS_I_RSA_TMP, req))
                                SSL_CTX_set_tmp_rsa_callback(*ctx, tmp_rsa_key);
# endif

                        if (srv)
                        {
                                SSL_CTX_set_client_CA_list(*ctx,
                                        SSL_load_client_CA_file(cacertfile));
                        }
                }


And the important distinction I wanted to make is theq
SSL_CTX_set_client_CA_list() call, which makes cacertfile special wrt
client certificates.

Sorry if I've misunderstood something and causing confusion here.  But I
did just have a fight with sendmail over this, trying to make it accept
only my private CA for client certificates.


Bjørn