Autor: Lars Mainka Data: A: Gray, Richard CC: exim-users Assumpte: Re: [exim] TLS and Client Certificate Verification
Hi Richard,
> I may be wrong here, but my understanding of certs is that what exim is
> doing is checking the authorities on your certificate. The idea is that
> I would tell exim to allow mail from certs signed by the CA. I am now
> able to issue certs for new users without having to log on to the box
> and add their certificate
Yes, thats exactly what exim is doing. But this would mean, if you are
accepting certificates signed by verisign (in example), every client
with a verisign certificate can connect to the box, wether you have the
client cert on the box or not and that would be a lot of clients.
> From exim's point of view, It trusts the CA, and the CA trusts the
> certificate, so exim trusts the certificate.
If I would use sslwrapper like stunnel, it is possible to gave only
those clients access to the server, if their certificates are copied to
the server and accessible by their hash value. I don't want to use those
wrappers, cause I prefer one daemon listening to all the needed
addresses and ports. In my understanding of the exim documentation "37.4
Requesting and verifying client certificates", the exim tls
implemetation says nothing about the limitation of using ca certificates
in the tls_verify_certificates directory.
Does anybody got the client authorization with certificates to work or
am I wrong in my understanding of the documentation?