SSL cert/key location (was: rawhide report: 20041217 changes)
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Tue Dec 21 20:28:28 UTC 2004
dwmw2 at infradead.org (David Woodhouse) writes:
>> exim-4.43-3
>> -----------
>> * Thu Dec 16 2004 David Woodhouse <dwmw2 at redhat.com> 4.43-3
>> - Demonstrate SASL auth configuration in default config file
>> - Enable TLS and provide certificate if necessary
>> - Don't reject all GB2312 charset mail by default
>
> This enables TLS on incoming and outgoing mail by default -- some
> feedback from testing would be appreciated.
To repeat my arguments from bugs #141479, #143392 and #143393:
* the /usr filesystem (inclusive /usr/share/ssl) can be shared between
several hosts; when there are multiple servers, every one would use
the same certificate. This will not work because CN must match the DNS
name
* the sharing happens in >90% of all cases over an unencrypted
network-filesystem (NFS). So, an attacker could easily get the
SSL key.
A better place for the certificates would be somewhere under /etc.
Enrico
More information about the fedora-devel-list
mailing list