Hi there,
I have a Setup of two machines which communicate via TLS and certificate
verification.
My basic Problem with this is, that the certificate verification is not
picky enough.
The client accepts any Certificate which has been issued by the CA,
regardless of the clients CN.
When the CA-Cert is removed from the file holding the certificates Exim
complains about unknown local issuer, so this is not an option.
Maybe the Problem can be resolved by means of "tls_peerdn" Verification.
Here are the relevant entries of the Konfiguration Files:
Server side:
tls_advertise_hosts = *
tls_certificate=/etc/exim4/exim-ssl-cert.pem
tls_privatekey=/etc/exim4/exim-ssl-key.pem
Client side (transport):
tls_smtp:
driver = smtp
hosts_require_tls = <servername>
tls_verify_certificates = ${lookup {$host} lsearch
{/etc/exim4/smtp.certs}\
{$value}}
And /etc/exim4/smtp.certs containing lines like this:
<servername>: /etc/exim4/exim-ssl-cert.pem_cert_of_serverside_and_CA-Cert
The File contanis the certificate of the server and the CA-Cert.
Any hint would be appreciated
Regards
Sven
--
"We just typed make"
(Stephen Lambrigh, Director of Server Product Marketing at Informix
about porting their Database to Linux)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web
