Re: [exim] Exim accepting any signed cert as verified even w…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Mike Cardwell
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] Exim accepting any signed cert as verified even when not listed in tls_verify_certificates?
Leon Verrall wrote:

> I'm running Exim 4.63 on Debian stable and I'm confused by a bit of
> behavior. Not sure if it's GNUTLS, exim or me being stupid.
>
> I'm relaying from exim4 on my home box (SORBS blacklisted ISP dynamic
> IP) to another exim4 box in the big wide world (that isn't blacklisted)
> and from there to the outside world. I have my own private root cert
> and I've created a signed client cert for the "client" exim. The
> "server" exim requires and encrypted connection for relaying and should
> be verifying certificates against it's known list before allowing a TLS
> connection.
>
> This seems to work but not how I'd expect. Here's a summary:
>
> tls_verify_hosts = *
> tls_verify_certificates = /some/file/with/certs.pem
>
> If certs.pem contains the client certificate and my root certificate,
> exim accepts. (apparently correct).
> If certs.pem contains the client certificate only, exim rejects as it
> can't verify the certificate (correct).
> If certs.pm contains _only_ the root certificate, exim accepts! (wrong?)
>
> Surely this file should contain a list of certificates that are to be
> considered "valid", plus any intermediate certs and the root cert needed
> to validate it. However exim seems to accept _any_ TLS session as long
> as a certificate signed by that root CA is presented.


I came across the same problem. There were only a couple of certificates
involved in my environment so what I did was to check that the domain of
the client cert was what I was expecting:

deny !condition = $tls_certificate_verified
deny set acl_m0 = ${if match{$tls_peerdn}\
                      {\N^.*?O=([a-z0-9\.-]+)\N}\
                      {$1}{}}
      condition  = ${if match_domain{$acl_m0}\
                      {secure.grepular.com:secure.blubbernet.com}\
                      {false}{true}}


Not ideal. Hopefully that'll give you an idea though.

> Any ideas why exim doesn't tell a client with an "unkown" certificate to
> get lost, signed or not?


I'd also like to know how to do that.

Mike