Technical Tip: Disable display of Acceptable client certificate CA names in TLS handshake
| Description | This article describes the behavior of FortiMail displaying a list of “Acceptable client certificate CA names" to the client during the initial connection. If this behavior is not desired (such as due to privacy concerns), it can be disabled.
The behavior is described in the RFC 5246 below. RFC 5246 The Transport Layer Security (TLS) Protocol version 1.2 { certificate_authorities
A list of the distinguished names [X501] of acceptable certificate_authorities, represented in DER-encoded format. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space. If the certificate_authorities list is empty, then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary. }
If, for privacy reasons, it is not preferred to display this list, this can be disabled by CLI in FortiMail. |
| Scope | FortiMail. |
| Solution | Use the command below to disable the display of acceptable client certificate CA names by FortiMail.
config system mailserver set show-acceptable-cert-ca disable
Reference: system mailserver.
{ show-accept-cert-ca {enable | disable} Enable to show acceptable client certificate ca. }
C:\ >openssl s_client -connect 192.168.0.10:25 -starttls smtp
Connecting to 192.168.0.10 CONNECTED(000001B8) Can't use SSL_get_servername depth=0 C=AF, CN=192.168.0.10 verify error:num=66:EE certificate key too weak verify return:1 depth=1 CN=FML_CA_test verify error:num=66:EE certificate key too weak verify return:1 depth=1 CN=FML_CA_test verify return:1 depth=0 C=AF, CN=192.168.0.10 verify return:1
.....
Acceptable client certificate CA names <<<<<<<<<<<<<<<<<<<<<<<<<< CN=FML_CA_test …
After applying 'set show-acceptable-cert-ca disable', FortiMail does not display the list of 'Acceptable client certificate CA names' to the client.
C:\>openssl s_client -connect 192.168.0.10:25 -starttls smtp Connecting to 192.168.0.10 CONNECTED(000001B0) Can't use SSL_get_servername depth=0 C=AF, CN=192.168.0.10 verify error:num=66:EE certificate key too weak verify return:1 depth=1 CN=FML_CA_test verify error:num=66:EE certificate key too weak verify return:1 depth=1 CN=FML_CA_test verify return:1 depth=0 C=AF, CN=192.168.0.10 verify return:1 --- Server certificate -----BEGIN CERTIFICATE----- XXXX … -----END CERTIFICATE----- subject=C=AF, CN=192.168.0.51 issuer=CN=FML_CA_test --- No client certificate CA names sent <--- No more display of 'Acceptable client certificate CA names'. |