Autor: Lars Mainka Data: A: Paul Dekkers CC: exim-users, Gray, Richard Assumpte: Re: [exim] TLS and Client Certificate Verification
Hi Paul,
> If you cannot filter on the DN (haven't checked that, but that is what
> you can do with apache for instance) or something, then you're probably
> right.
That's another approach, but in my mind this is more like a workaround.
I got the documentation wrong. Based on the source code, the current
implementation is only able to handle CA certificates where the client
certs gets checked against. It seems that this would be the common
approach to check client certificates.
> We also do this with stunnel at the moment, so I would be interested in
> doing this with exim directly as well. The only thing that stopped me
> from experimenting with that is that I think that if I advertise
> STARTTLS to the client on the normal smtp port, and it _must_
> authenticate with a client certificate, what happends to the MTA's that
> do know TLS but have no client certificate?
> Normally the data transport is then secured, but without a proper client
> certificate the SSL setup fails, I suppose?
>
> The way to workaround this is have a seperate IP of course for the
> submission with TLS. (That is what we have now with stunnel...)
I think stunnel is the only way to get the client certs checked directly
by ssl. My solution was: hacking the exim openssl code to do the same
like stunnel, but this would happen in some extra work on updates.