Sujet : Re: Client Auth certificates, threat or menace?
De : johnl (at) *nospam* taugh.com (John Levine)
Groupes : comp.mail.sendmailDate : 20. May 2025, 21:18:26
Autres entêtes
Organisation : Taughannock Networks
Message-ID : <100io2i$2ahf$1@gal.iecc.com>
References : 1 2
User-Agent : trn 4.0-test77 (Sep 1, 2010)
According to Claus A�mann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>:
John Levine wrote:
>
By my understanding, the only place that a mail system uses Client
Authentication certs is that a submission client can present a cert
for SMTP AUTH rather than a username and a password. It's a niche
>
There is more, see cf/README: Relaying.
Well, OK, but in practice that's a special case of submission.
sendmail doesn't care about "EKU":
>
sendmail.org.cert.pem
Certificate:
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
That's not very helpful since that cert has both key usages.
The claim, which I'm not sure I believe, is that the calls to openssl have default values
that want the client flag.
-- Regards,John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",Please consider the environment before reading this e-mail. https://jl.ly
Client Auth certificates, threat or menace?
Re: Client Auth certificates, threat or menace?