Disable client authentication with certificates

Stefan Gofferje lists at home.gofferje.net
Tue Dec 10 10:33:00 EST 2013

On 12/10/2013 12:49 PM, Wolfgang Breyha wrote:
> cyrus distinguishes between asking for a cert and requiring a cert. I don't
> know why, sorry. Sometimes it is practical to ask for a cert and only try to
> verify it without enforcing it. But asking for certs while incapable to verify
> them (without CAs) seems odd. That's why I decided to do it that way.

Maybe the existing options could just be extended, like in the Postfix
setting for TLS, e.g.

tls_imap_require_cert: no|ask|require

I think, having logical options which are clear to the admin are better
than some implicit consequences which are not not bilaterally logical.
I don't know if I express this right/understandable :).

The background is that a bunch of TLS tutorials on the web include
configuring the CA but not explaining in detail why, so an inexperienced
admin could assume that he should put the CA certificate for the server
cert's CA there.


 (o_   Stefan Gofferje            | SCLT, MCP, CCSA
 //\   Reg'd Linux User #247167   | VCP #2263
 V_/_  Heckler & Koch - the original point and click interface

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4079 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20131210/208fb211/attachment-0001.bin 

More information about the Info-cyrus mailing list