[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] Proxy support patch



Hi!

On Tue, 7 Oct 2014 14:45:24 -0400, grarpamp wrote:
> On Tue, Oct 7, 2014 at 1:28 PM, Ángel González <angel@...372...>
> wrote:
> > CustaiCo wrote:
> >> Because of how cleanly seperated the network code is from the rest
> >> of the application, I'm fairly sure that there should be no leaks,
> >> unless the ssl library decides to open it's own connections for no
> >> reason.
> >
> > Like doing an OCSP check?
> >
> > (although neither openssl nor gnutls seem to do that automatically
> > nowadays)
> 
> Exactly like that, it's worth looking for, ie: can the user's TLS
> config or TLS compile default turn on OCSP

Currently you can use --tls-crl-file, and you have to update the CRL
file via some external mechanism. Though I doubt that anybody does
that.

Note that if you want automatic revocation checking via OCSP, you have
to be very careful not to reveal information about which servers you
contact at which time. (As far as I know, the certificate you want to
check is sent to the server. And OCSP may not even use encryption
itself, so all information you reveal is public.)

Martin