Re: TLS certificate validation woes

Zitat von Bernhard Schmidt <berni@birkenwald.de>:

> Am 20.12.2011 10:24, schrieb lst_hoe02@kwsoft.de:
>
> Hello,
>
>>> Any idea how to allow all certificates issued by specific Sub-CAs,
>>> without trusting everyone?
>>
>> As far as i understand you have to list the complete chain but only your
>> sub-CA to get it working. So create a smtpd_tls_CAfile with the Telekom
>> root and your sub-CA and nothing else. This would allow relaying for any
>> certificate your sub-CA or the Telekom root CA has issued, but not for
>> certificates issued by any sub-CA of the Telekom beside yours. Be aware
>> that you should not do this on a public facing port 25.
>
> Unfortunately no-go, the full chain needs to be in smtpd_tls_CApath,
> otherwise I get the "unable to get issuer certificate". And doing that
> would blow the purpose, since we would be an open relay for everyone
> having a DTAG certificate.

To my knowledge you would *only* be an open relay for certificates
issued directly by the Telekom root-CA and for certificates issued by
your sub-CA, not for certificates issued by other Telekom sub-CAs not
included in the file. Not sure if the Telekom root-CA is used to issue
certificates anyway.
Viktor will correct me if i'm wrong ;-)

Regards

Andreas

• This message: [ Message body ]
• Next message: Jerry: "Re: problem with dspam"
• Previous message: fakessh _at_nospam: "problem with dspam"
• In reply to: Bernhard Schmidt: "Re: TLS certificate validation woes"
• Next in thread: Bernhard Schmidt: "Re: TLS certificate validation woes"
• Reply: Bernhard Schmidt: "Re: TLS certificate validation woes"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]