Comments on: Buffer overflows ahoy http://www.sirena.org.uk/log/2009/02/18/buffer-overflows-ahoy/ Just another random blog Tue, 03 Jan 2012 12:55:06 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Mark Brown http://www.sirena.org.uk/log/2009/02/18/buffer-overflows-ahoy/comment-page-1/#comment-57953 Mark Brown Fri, 20 Feb 2009 11:12:29 +0000 http://www.sirena.org.uk/log/?p=158#comment-57953 @mirabilos: Half the problem is that this is the default configuration in Debian - I blogged it mostly to try to help anyone else who runs into it Google the problem faster. @mirabilos: Half the problem is that this is the default configuration in Debian – I blogged it mostly to try to help anyone else who runs into it Google the problem faster.

]]> By: mirabilos http://www.sirena.org.uk/log/2009/02/18/buffer-overflows-ahoy/comment-page-1/#comment-57949 mirabilos Fri, 20 Feb 2009 08:46:23 +0000 http://www.sirena.org.uk/log/?p=158#comment-57949 Don't do that then. The point is, you are only sending the chain from the root to your own server certificate out to the client. The list of certificates used for (client) certificate validation is orthogonal to it, and not sent. In sendmail, these are: O CACertPath=/etc/ssl/certs → peer certficate validation (directory with *.0 files) O CACertFile=/etc/ssl/deflt-ca.cer → own certificate chain; root ca, intermediate cas, but not own server certificate (PEM file/bundle) O ServerCertFile=/etc/ssl/default.cer O ClientCertFile=/etc/ssl/default.cer → own certificate (I use the same, no matter if my sendmail is the sender or recipient) O ServerKeyFile=/etc/ssl/private/default.key O ClientKeyFile=/etc/ssl/private/default.key → own private key (similarily) For Drecksim, the names of the configuration parametres may differ, the use would be the same, I suppose. Don’t do that then. The point is, you are only sending the chain from the root to your own server certificate out to the client. The list of certificates used for (client) certificate validation is orthogonal to it, and not sent.

In sendmail, these are:

O CACertPath=/etc/ssl/certs
→ peer certficate validation (directory with *.0 files)
O CACertFile=/etc/ssl/deflt-ca.cer
→ own certificate chain; root ca, intermediate cas, but not own server certificate (PEM file/bundle)
O ServerCertFile=/etc/ssl/default.cer
O ClientCertFile=/etc/ssl/default.cer
→ own certificate (I use the same, no matter if my sendmail is the sender or recipient)
O ServerKeyFile=/etc/ssl/private/default.key
O ClientKeyFile=/etc/ssl/private/default.key
→ own private key (similarily)

For Drecksim, the names of the configuration parametres may differ, the use would be the same, I suppose.

]]> By: Kurt Roeckx http://www.sirena.org.uk/log/2009/02/18/buffer-overflows-ahoy/comment-page-1/#comment-57921 Kurt Roeckx Wed, 18 Feb 2009 18:00:44 +0000 http://www.sirena.org.uk/log/?p=158#comment-57921 See http://www.outflux.net/blog/archives/2009/01/13/etoomanycerts/ See http://www.outflux.net/blog/archives/2009/01/13/etoomanycerts/

]]>