Re: [exim-dev] TLS OpenSSL CRL Handling

Philip Hazel wrote:

> I don't think any of the main Exim maintainers are at all expert in
> OpenSSL. I certainly am not. The CRL support was originally supplied as
> a patch, which I integrated and was happy with once I found that a simple
> test worked.

In my mind, security based on SSL/TLS has such a lot of complexity, that
there are only a few people which can be called expert. :-( This makes
the whole thing to get secure so difficult, that there will be a lack of
security in common.

>>I think, this would make the crl handling (especially of multiple crls) much
>>easier and this is not a big change on the sources.
>
>
> Would such a change be upwards compatible? Can you supply a suggested
> patch? That has much more of a chance of being included and tested.
> Otherwise somebody has to spend time learning about OpenSSL and figuring
> out what to do. My own time for working on the code is extremely limited
> at present.

I tried it with the versions 4.43, 4.44 and 4.50 on FreeBSD and Debian
and it works fine. I haven't found any problems changing the the sources
and there are no handling differences concering the tls_crl value in the
configuration. I would be very happy to supply Exim with a small patch.
Where should I send the patch? (I will try to do the same for GnuTLS if
anyone would like to have it.)

As I posted on the users list, there are some other possible tasks in
the tls implementation, like purpose checking, client certificate
checking, ocsp and so on. Is anybody interested in enhancing Exim in
that point?

Greetings,
Lars