-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 > Perhaps Sendmail is setting the CA names the client side, and then > OpenSSL is trying to serialize the names of all your CAs to the > server. This is a bad idea. Don't do that. Try using CApath, and > no or an explicitly empty CAfile, and see if that helps. Do you mean CACertFile and CACertPath? Redhat/Centos stock sendmail.mc/cf uses: O CACertFile=/etc/pki/tls/certs/ca-bundle.crt O CACertPath=/etc/pki/tls/certs pointing the CACertFile to 750KB file with 149 certificates. That just seems wrong, but perhaps there is some reason for it. If CACertFile is not specified, sendmail won't advertise STARTTLS. So we need to give it something there, and the docs imply that it should at least contain the certificate of the CA that signed the sendmail certificate. I have a private CA that signed my sendmail certificate, so using: O CACertFile=/etc/pki/tls/certs/my-ca-certificate.pem O CACertPath=/etc/pki/tls/certs O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 on both the client and server sendmail machines, we get TLSv1.3 ! Perhaps some certificate in the stock ca-bundle.crt is malformed? > No something else. A pointer to source code of the Sendmail in > question may be helpful. http://www.five-ten-sg.com/mapper/blog/DANE ftp://ftp.sendmail.org/pub/sendmail/snapshots/sendmail.8.16.0.29.tar.gz http://www.five-ten-sg.com/util/sendmail-8.16.0-dane.patch > Do you see any calls to SSL_CTX_set0_CA_list()? No, but there is a call to SSL_CTX_set_client_CA_list(*ctx, SSL_load_client_CA_file(cacertfile)) which would read that ca-bundle.crt file. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlvFJ38ACgkQL6j7milTFsH3wwCeNh0ZAOIRq4kG/Nh5gCeZaAvK MPUAn0a7NaSk5edTMGcLa0SHpskOxTYW =Yi1x -----END PGP SIGNATURE----- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
