Hi,
I'm running Exim 4.63 on Debian stable and I'm confused by a bit of
behavior. Not sure if it's GNUTLS, exim or me being stupid.
I'm relaying from exim4 on my home box (SORBS blacklisted ISP dynamic
IP) to another exim4 box in the big wide world (that isn't blacklisted)
and from there to the outside world. I have my own private root cert
and I've created a signed client cert for the "client" exim. The
"server" exim requires and encrypted connection for relaying and should
be verifying certificates against it's known list before allowing a TLS
connection.
This seems to work but not how I'd expect. Here's a summary:
tls_verify_hosts = *
tls_verify_certificates = /some/file/with/certs.pem
If certs.pem contains the client certificate and my root certificate,
exim accepts. (apparently correct).
If certs.pem contains the client certificate only, exim rejects as it
can't verify the certificate (correct).
If certs.pm contains _only_ the root certificate, exim accepts! (wrong?)
Surely this file should contain a list of certificates that are to be
considered "valid", plus any intermediate certs and the root cert needed
to validate it. However exim seems to accept _any_ TLS session as long
as a certificate signed by that root CA is presented.
The documentation says:
"Any client that matches tls_verify_hosts is constrained by
tls_verify_certificates. The client must present one of the listed
certificates. If it does not, the connection is aborted."
http://www.exim.org/exim-html-current/doc/html/spec_html/ch14.html#SECID108
Any ideas why exim doesn't tell a client with an "unkown" certificate to
get lost, signed or not?
Cheers for any help,
Leon
