Re: [PATCH] Re: [Exim] TLS and certificate chains

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMPhilip Hazel at <-
MSheldon Hearn at ->
Delete this message
Reply to this message
Author: John Holman
Date:  
To: exim-users
Subject: Re: [PATCH] Re: [Exim] TLS and certificate chains
Philip Hazel wrote:
> Thank you for researching that. I will look at your patch in connection
> with Exim 4. It sounds as though this is not something that needs an
> option but can just be installed for everyone. Is that right? If you
> only want one certificate sent, you just put one certification in the
> file. Right?

Yes. I also tried putting the private key into the same file as the
certificates and that seems to work, so the change would be backwards
compatible as far as I can see.

One thing to note is that multiple certificates should be given in the
correct order. In my case, first the server certificate itself, then a
first intermediate certificate to validate the issuer of the server
certificate, then a second intermediate certificate to validate the
issuer of the first intermediate certificate, and finally (optionally)
the root certificate that validates the issuer of the second
intermediate certificate. (The root certificate must already be trusted
by the client for validation to succeed, of course, but if it's not
preinstalled sending the root certificate along with the rest
potentially makes it available for the user to install).

John




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim-Announce] Re: [Exim] Exim 3.36 maintenance releaseRe: [Exim] Virtual Host problems with bill@onedomain.com and bill@otherdomain.com and local bill->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)