Re: [exim] Exim accepting any signed cert as verified even w…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: exim-users
Date:  
À: exim-users
Sujet: Re: [exim] Exim accepting any signed cert as verified even when not listed in tls_verify_certificates?
Hi Leon,

without knowing GNUTLS, here's my 2 cents from a PKI perspective.

The tls_verify_certificates file contains your trust anchors. That
means, that exim needs to build up a certificate chain from the
certificate(s) presented by the client up to a certificate contained in
this file. Once exim can do so, and the rest of the certificate
verification process succeeds, the overall verification is successful.

Leon Verrall schrieb:
> This seems to work but not how I'd expect. Here's a summary:
>
> tls_verify_hosts = *
> tls_verify_certificates = /some/file/with/certs.pem
>
> If certs.pem contains the client certificate and my root certificate,
> exim accepts. (apparently correct).


correct.

> If certs.pem contains the client certificate only, exim rejects as it
> can't verify the certificate (correct).


I would consider that wrong. Since the file contains the client
certificate and as such you consider it trusted, verification should
succeed.

> If certs.pm contains _only_ the root certificate, exim accepts! (wrong?)


If exim can build up a certificate chain from the certificate(s)
presented by the client up to the root certificate, then the result you
witness is correct.

After all, in a PKI context, you don't want to configure thousands of
client certificates as trusted, but only a few CA certificates, and by
doing so, you automatically trust all certificates issued by such a CA.

If you don't want to automatically trust all certificates issued by the
CA, consider creating a private CA yourself and issuing certificates
only to those clients you want to allow to your system.

HTH,
Patrick Eisenacher