OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: real-world issues with smtpd_tls_ask_ccert?

From: Victor Duchovni (Victor.Duchovnimorganstanley.com)
Date: Fri Aug 21 2009 - 09:37:50 CDT


On Fri, Aug 21, 2009 at 06:09:52AM -0500, Noel Jones wrote:

> Ralf Hildebrandt wrote:
>>>
>>> Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
>>> unknown[XXX.YYY.ZZZ.KKK]
>>> Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection
>>> from unknown[XXX.YYY.ZZZ.KKK]
>>> Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
>>> established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher
>>> AES128-SHA (128/128 bits)
>>>
>>> Why does it say "Anonymous TLS connection"?
>> Because the TLS certificate is not signed by a trusted CA.
>
> No, it's because an anonymous cipher is used when there is no client
> certificate. If it was a certificate trust problem, the connection would
> be labeled "Untrusted".

No, it is because the client did not provide a certificate. The cipher
AES128-SHA is not an "anonymous" cipher, the server did provide a
certificate to the client, but the converse was false.

Don't confuse anonymous ciphers, with anonymous clients using a cipher
that (if the client bothers, ...) authenticates the server.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.