Article <100io2i$2ahf$1@gal.iecc.com>

Warning: mysqli::__construct(): (HY000/1203): User howardkn already has more than 'max_user_connections' active connections in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\includes\artfuncs.php on line 21
Failed to connect to MySQL: (1203) User howardkn already has more than 'max_user_connections' active connections
Warning: mysqli::query(): Couldn't fetch mysqli in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\index.php on line 66
Article <100io2i$2ahf$1@gal.iecc.com>

Deutsch English Français Italiano

<100io2i$2ahf$1@gal.iecc.com>

View for Bookmarking (what is this?)
Look up another Usenet article

Path: news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: John Levine <johnl@taugh.com>
Newsgroups: comp.mail.sendmail
Subject: Re: Client Auth certificates, threat or menace?
Date: Tue, 20 May 2025 20:18:26 -0000 (UTC)
Organization: Taughannock Networks
Message-ID: <100io2i$2ahf$1@gal.iecc.com>
References: <100iavl$13mj$1@gal.iecc.com> <100iip0$di9$1@news.misty.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 20 May 2025 20:18:26 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970";
	logging-data="76335"; mail-complaints-to="abuse@iecc.com"
In-Reply-To: <100iavl$13mj$1@gal.iecc.com> <100iip0$di9$1@news.misty.com>
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)

According to Claus A�mann  <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>:
>John Levine  wrote:
>
>> By my understanding, the only place that a mail system uses Client
>> Authentication certs is that a submission client can present a cert
>> for SMTP AUTH rather than a username and a password. It's a niche
>
>There is more, see cf/README: Relaying.

Well, OK, but in practice that's a special case of submission.

>sendmail doesn't care about "EKU":
>
>sendmail.org.cert.pem
>Certificate:
>        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
>        X509v3 extensions:
>            X509v3 Key Usage: critical
>                Digital Signature, Key Encipherment
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>            X509v3 Extended Key Usage:
>                TLS Web Server Authentication, TLS Web Client Authentication

That's not very helpful since that cert has both key usages.

The claim, which I'm not sure I believe, is that the calls to openssl have default values
that want the client flag.
-- 
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly