smtp[d]?_tls_CApath and c_rehash(1)
- The thread about of CApath and c_rehash prompted me to read the c_rehash
Perl script. Regrettably, but perhaps not surprisingly, the actions of this
script are not sufficiently atomic to be used safely on a running system.
It first removes the all symlinks (leaving the directory temporarily
unusable) and then rebuilds them all from scratch. A better implementation
would validate all existing links, removing only the stale ones, and
then add links only for .pem files that don't already have links.
Bottom line, if certificate verification is important to you, and you
use CApath, stop Postfix before running c_rehash, or have the CApath
be a symlink to a real directory, copy it for updates, rehash the copy,
and update the symlink (atomically) to point to the new directory.
If someone feels really motivated to write some decent Perl code, fix
the script to not mess with valid CApath entries, rather just delete
the stale ones, and add the missing ones. Then post a bug report with
a fix to the OpenSSL bug tracking system.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.