[openssl-users] 'No client certificate CA names sent'

Viktor Dukhovni openssl-users at dukhovni.org
Tue Jan 31 15:34:01 UTC 2017


On Tue, Jan 31, 2017 at 08:07:16AM -0700, russellbell at gmail.com wrote:

> 	It was on the client side.  I'm running sendmail as a client
> to relay mail that originates on my computer through gmail.

Gmail's SMTP server, correctly, does not suggest any preferred
client CAs.

> When I
> request a certificate from gmail I get that message in the return
> (along with a certificate).  It may not matter.

Not only does it not matter, it is expected and best practice.

> 	When I send mail through gmail, sendmail reports
> 'verify=FAIL'.  I hoped to make that not happen.

Completely unrelated to the preferred client CA list.  Sendmail's
TLS support is fairly anaemic, you should probably just ignore
this.  While it is possible to "verify" the certificate, that's
pointless unless you also configure secure matching of the MX
hostname against the certificate.  Absent DNSSEC (which gmail does
not currently support) you'd need to define custom policy for gmail
that insists on their current MX hostnames or some fuzzy match
thereof.  This is much too much work.

    https://tools.ietf.org/html/rfc7672#section-1.3

For now, opportunistic unauthenticated TLS will do and is what
what most SMTP email uses:

    https://tools.ietf.org/html/rfc7435#section-1.3
    https://www.google.com/transparencyreport/saferemail/

> 	Quoth Mr Viktor Dukhovni:
> 
> 	'https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_client_CA_list.html
> 
> 	That's the same as the man page I already have.
> 
> 	'Just pass a NULL stack.'
> 
> 	Is there an app with which I can do this or do I have to write
> a program?  Not that I can't do that.

None of this is applicable on the client side.

-- 
	Viktor.


More information about the openssl-users mailing list