Re: [Exim] tls certificate verification

Pàgina inicial
Delete this message
Reply to this message
Autor: Steve Haslam
Data:  
A: exim-users
Assumpte: Re: [Exim] tls certificate verification
On Mon, Sep 09, 2002 at 09:00:20PM +0200, Tony Earnshaw wrote:
> > SMTP<< STARTTLS
> > tls_certificate file /etc/exim/araqnid.ddts.net-rsa.crt
> > tls_privatekey file /etc/exim/araqnid.ddts.net-rsa.key
> > Initialised TLS
> > host in tls_verify_hosts? yes (matched "*")
> > SMTP>> 220 TLS go ahead
> > Calling SSL_accept
>
> This has got nothing to do wih authentication, simply TLS encryption for
> TLS-encrypted smtp.
>
> The TLS used by slapd and the auth routines (e.g AUTH PLAIN, AUTH
> CRAM-MD5) does/do any necessary authentication, which is a beast of
> quite another spirit and kind (see the AUTH chapter in spec.txt). The
> two should not not be confused. Can/should even use completely different
> certificates from the ones above.


OK, I apprecaite they use different certificate sets-- but basically, if you
wanted to set up SMTP-authenticating-using-TLS-certificates, how would you
do it? I'm looking at the code and a chunk of it that ought to be outputting
debug messages if Exim is checking that the peer certificate is signed by
the right CA isn't doing anything.

I don't use TLS and LDAP together atm, I'm just concerned with SMTP+TLS. I
was thining of setting up certificates on both the machines I have here, and
making them require the right certficiate from each one (chaeck the CN of
the subject matches the hostname, check the root CA is the same as local
etc.).

Afaict, the sorting out of TLS certificates on SMTP is done at the time the
TLS sessions is established, i.e. after STARTTLS.

SRH
--
Steve Haslam      Reading, UK                           araqnid@???
Debian GNU/Linux Maintainer                               araqnid@???
almost called it today, turned to face the void, numb with the suffering
and the question- "Why am I?"                                  [queensrÿche]