From owner-freebsd-current@freebsd.org  Mon Mar 16 08:19:54 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C0B925E5B1
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Mon, 16 Mar 2020 08:19:54 +0000 (UTC)
 (envelope-from Alexander@leidinger.net)
Received: from mailgate.Leidinger.net (mailgate.leidinger.net
 [IPv6:2a00:1828:2000:313::1:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48gq3X5WcRz4NRG
 for <freebsd-current@freebsd.org>; Mon, 16 Mar 2020 08:19:52 +0000 (UTC)
 (envelope-from Alexander@leidinger.net)
Received: from outgoing.leidinger.net (p5B165CEE.dip0.t-ipconnect.de
 [91.22.92.238])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
 (Client did not present a certificate)
 by mailgate.Leidinger.net (Postfix) with ESMTPSA id 396196C46;
 Mon, 16 Mar 2020 09:19:43 +0100 (CET)
Received: from webmail.leidinger.net (webmail.Leidinger.net
 [IPv6:fd73:10c7:2053:1::3:102])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
 (Client did not present a certificate)
 by outgoing.leidinger.net (Postfix) with ESMTPS id B61AC3127;
 Mon, 16 Mar 2020 09:19:40 +0100 (CET)
Received: (from www@localhost)
 by webmail.leidinger.net (8.15.2/8.14.4/Submit) id 02G8JeRx095208;
 Mon, 16 Mar 2020 09:19:40 +0100 (CET)
 (envelope-from Alexander@leidinger.net)
X-Authentication-Warning: webmail.leidinger.net: www set sender to
 Alexander@leidinger.net using -f
Received: from [::ffff:192.168.1.28] ([::ffff:192.168.1.28]) by
 webmail.leidinger.net (Horde Framework) with HTTPS; Mon, 16 Mar 2020
 09:19:40 +0100
Date: Mon, 16 Mar 2020 09:19:40 +0100
Message-ID: <20200316091940.Horde.16mziiZfZLwd2x3zuIke061@webmail.leidinger.net>
From: Alexander Leidinger <Alexander@leidinger.net>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: Ronald Klop <ronald-lists@klop.ws>, freebsd-current@freebsd.org
Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()?
References: <YTBPR01MB3374B1E0DE58EC15AA4E1143DDFB0@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
 <op.0hi96u2bkndu52@sjakie>
 <YTBPR01MB33745B4D14573F6D503C956EDDF80@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YTBPR01MB33745B4D14573F6D503C956EDDF80@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
User-Agent: Horde Application Framework 5
Accept-Language: de,en
Content-Type: multipart/signed; boundary="=_JFcTW89M6Xtr5SY4ANXEc3O";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
X-Rspamd-Queue-Id: 48gq3X5WcRz4NRG
X-Spamd-Bar: ------
X-Spamd-Result: default: False [-6.71 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex];
 NEURAL_HAM_MEDIUM(-0.87)[-0.875,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+mx];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.20)[multipart/signed,text/plain]; HAS_XAW(0.00)[];
 TO_DN_SOME(0.00)[]; XAW_SERVICE_ACCT(1.00)[];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[leidinger.net:+];
 DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine];
 RCVD_COUNT_THREE(0.00)[4]; SIGNED_PGP(-2.00)[];
 FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE];
 RCVD_TLS_ALL(0.00)[];
 IP_SCORE(-3.73)[ip: (-9.83), ipnet: 2a00:1828::/32(-4.91), asn: 34240(-3.91),
 country: DE(-0.02)]; 
 RECEIVED_SPAMHAUS_PBL(0.00)[238.92.22.91.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.10]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2020 08:19:54 -0000

This message is in MIME format and has been PGP signed.

--=_JFcTW89M6Xtr5SY4ANXEc3O
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Quoting Rick Macklem <rmacklem@uoguelph.ca> (from Sun, 15 Mar 2020=20=20
23:27:58=20+0000):

> As such, it stills seems to be a bit of a mystery to me, but it=20=20
>=20seems that putting
> all the certificates in a CAfile and not using a CApath directory is=20=
=20
>=20the simpler
> way to go.

If you have multiple CAs in the file, the code needs to search for one=20=
=20
which=20matches. If you use the path, the code just needs to list the=20=20
directory=20and check the filename which matches the id of the CA-cert.=20=
=20
On=20a recent -current system have where you've never run "certctl=20=20
rehash"=20have a look into /etc/ssl/certs, then run "certctl rehash",=20=20
and=20then check /etc/ssl/certs again to see what I mean.

For a program which communicates with a lot of different systems which=20=
=20
use=20different CAs (mailserver, browser), the path makes sense. For a=20=
=20
NFS=20server I wouldn't configure all the Mozilla-accepted CAs. As such=20=
=20
a=20CAfile may be enough, but having the possibility for both allows the=20=
=20
user=20to chose which way he wants to configure his system (e.g. maybe=20=
=20
he=20has just one CA in a directory, but for consistency reasons he=20=20
prefers=20to specify the path to be able to use one way to configure=20=20
things).

You=20can do it either way, technically it doesn't matter. It makes=20=20
sense=20to have both possibilities (that would be my preference, to give=20=
=20
the=20user the choice which way he wants to handle it). Having only the=20=
=20
file-way=20would not be stupid (as you can see with wpa and unbound,=20=20
which=20are used in a similar way in this regard than one would use=20=20
NFS).=20Only the path-way would be less favorable in my opinion.

> I haven't yet decided whether or not I'll specify a command option=20=20
>=20for setting
> CApath. Sendmail does. wpa and unboud don't?

Sendmail needs to use more than one CA if it wants to validate=20=20
connections=20from anyone, and it wants to do it in a performant way.=20=20
WIFI=20and DNS typically only need one CA.

Bye,
Alexander.

--=20
http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF

--=_JFcTW89M6Xtr5SY4ANXEc3O
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABAgAGBQJebzacAAoJEBINsJsD+NiGyDMP/RYTDvwDKNqGDGl+I25+JRNd
gGQkjTse/+F+9RIElG4z8id2tsCN8tQiHK0kinFxUNorPO830qLIVL821K2428ZG
AHvnKi9BdReLloqEkvnNUZtfLbrNNxX3mE7eVV6ZQVCHgNRSuU6Tj+3ZFOL7cZci
7mmgsCNyTeYNWob4r6r1/lLx4NnfGYsX8Y5Tfj69/mFdZ/zM2p/RoxuOr77m44p+
gZGisJgQk0pv7Iq6RzphdJW1Bk7k6JtKZzwoExsvL2rxNJltP5LEJps+o9i8lDtv
NfVtXu3MSU8kXZCrXleYHubZc9DMWY2pNCk7J88sbmQyqrURW6fSJuLoStWM+R99
pwOENqggdAmpebOKa/OuKIu1AW2HeGQq+gl4sskrkRcpSx/aBavmC43dReDcoXL2
eXXJuYdoGOnmg/d/VmPKBiCXM/PTutaDFEQrFBkEiFWdwpKwRoTZTAs3M7TZ5gvP
8xYfkp8+Jj71lEoVtbioNaA7tRwnG2vyjCPVxKtIsYoSNBDL1ft2bG8h0Q/ftUkb
RkwgJQ/BeGT/K0s8hbsjIGTNR6qdSbiQ3zr0iYmsgUG+I3G5deb3ZwSokFJGKgWZ
aSy0lm/RodSuk/R6GFFNCQuncIlT18KHptM0p2jmsJVHUzBZiUnhGUjTqQ6akfZ4
fXdWpVwndf9NWeThl4z7
=aFLJ
-----END PGP SIGNATURE-----

--=_JFcTW89M6Xtr5SY4ANXEc3O--