Loading ...
Sorry, an error occurred while loading the content.

smtp[d]?_tls_CApath and c_rehash(1)

Expand Messages
  • Victor Duchovni
    The thread about of CApath and c_rehash prompted me to read the c_rehash Perl script. Regrettably, but perhaps not surprisingly, the actions of this script are
    Message 1 of 1 , Oct 4, 2006
    • 0 Attachment
      The thread about of CApath and c_rehash prompted me to read the c_rehash
      Perl script. Regrettably, but perhaps not surprisingly, the actions of this
      script are not sufficiently atomic to be used safely on a running system.

      It first removes the all symlinks (leaving the directory temporarily
      unusable) and then rebuilds them all from scratch. A better implementation
      would validate all existing links, removing only the stale ones, and
      then add links only for .pem files that don't already have links.

      Bottom line, if certificate verification is important to you, and you
      use CApath, stop Postfix before running c_rehash, or have the CApath
      be a symlink to a real directory, copy it for updates, rehash the copy,
      and update the symlink (atomically) to point to the new directory.

      If someone feels really motivated to write some decent Perl code, fix
      the script to not mess with valid CApath entries, rather just delete
      the stale ones, and add the missing ones. Then post a bug report with
      a fix to the OpenSSL bug tracking system.

      --
      Viktor.

      Disclaimer: off-list followups get on-list replies or get ignored.
      Please do not ignore the "Reply-To" header.

      To unsubscribe from the postfix-users list, visit
      http://www.postfix.org/lists.html or click the link below:
      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

      If my response solves your problem, the best way to thank me is to not
      send an "it worked, thanks" follow-up. If you must respond, please put
      "It worked, thanks" in the "Subject" so I can delete these quickly.
    Your message has been successfully submitted and would be delivered to recipients shortly.