Re: [exim] Exim accepting any signed cert as verified even w…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Leon Verrall
Datum:  
To: Mike Cardwell
CC: exim-users
Betreff: Re: [exim] Exim accepting any signed cert as verified even when not listed in tls_verify_certificates?
Mike Cardwell wrote:
> Leon Verrall wrote:


>> Surely this file should contain a list of certificates that are to be
>> considered "valid", plus any intermediate certs and the root cert needed
>> to validate it. However exim seems to accept _any_ TLS session as long
>> as a certificate signed by that root CA is presented.
>
> I came across the same problem. There were only a couple of certificates
> involved in my environment so what I did was to check that the domain of
> the client cert was what I was expecting:
>
> deny !condition = $tls_certificate_verified
> deny set acl_m0 = ${if match{$tls_peerdn}\
>                       {\N^.*?O=([a-z0-9\.-]+)\N}\
>                       {$1}{}}
>       condition  = ${if match_domain{$acl_m0}\
>                       {secure.grepular.com:secure.blubbernet.com}\
>                       {false}{true}}

>
> Not ideal. Hopefully that'll give you an idea though.


I see the logic. I have a similar situation; just a few certificates.
Still it would be nice if this worked as documented or we could find out
what's wrong.

>> Any ideas why exim doesn't tell a client with an "unkown" certificate to
>> get lost, signed or not?
>
> I'd also like to know how to do that.


At least I'm not going mad. Or we both are.

Leon