On Sun, Aug 18, 2002 at 10:40:40PM +0100, Matt Bernstein wrote:
> I think you might misunderstand how certificates "and all that" work. The
> client may offer a certificate, if requested, and the server may verify it
> if it knows about a CA which has signed it. But, even though I've got it
> to work, I'm no expert! Try the references the Exim spec points to.
Unless exim 4's certificate verification calls have changed, it didn't
deal with CAs directly, just with copies of the certificate. (either in
a hashed directory or in a single file). (god, openssl is horrid).
I believe Martin Keegan at some point had a patch that let it use any
certificate signed by a particular CA, but I'm not sure that ever went
into the source, or even if he passed it to Phil. Ideally, what you
actually want is to specify the Cert, the CA/DN or CA and range of valid
DNs, but this will make the verification code significantly complex.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/