[Exim] DN/CN Verification in Exim TLS-client?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Sven Geggus
Date:  
À: exim-users
Sujet: [Exim] DN/CN Verification in Exim TLS-client?
Hi there,

I have a Setup of two machines which communicate via TLS and certificate
verification.

My basic Problem with this is, that the certificate verification is not
picky enough.

The client accepts any Certificate which has been issued by the CA,
regardless of the clients CN.

When the CA-Cert is removed from the file holding the certificates Exim
complains about unknown local issuer, so this is not an option.

Maybe the Problem can be resolved by means of "tls_peerdn" Verification.

Here are the relevant entries of the Konfiguration Files:

Server side:
tls_advertise_hosts = *
tls_certificate=/etc/exim4/exim-ssl-cert.pem
tls_privatekey=/etc/exim4/exim-ssl-key.pem

Client side (transport):
tls_smtp:
  driver = smtp
  hosts_require_tls = <servername>
  tls_verify_certificates = ${lookup {$host} lsearch
{/etc/exim4/smtp.certs}\
                                                     {$value}}


And /etc/exim4/smtp.certs containing lines like this:

<servername>: /etc/exim4/exim-ssl-cert.pem_cert_of_serverside_and_CA-Cert

The File contanis the certificate of the server and the CA-Cert.

Any hint would be appreciated

Regards

Sven

--
"We just typed make"
(Stephen Lambrigh, Director of Server Product Marketing at Informix
                                      about porting their Database to Linux)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web