Autor: exim-users Data: Para: exim-users Assunto: Re: [exim] Exim accepting any signed cert as verified even when not
listed in tls_verify_certificates?
Hi Leon,
without knowing GNUTLS, here's my 2 cents from a PKI perspective.
The tls_verify_certificates file contains your trust anchors. That
means, that exim needs to build up a certificate chain from the
certificate(s) presented by the client up to a certificate contained in
this file. Once exim can do so, and the rest of the certificate
verification process succeeds, the overall verification is successful.
Leon Verrall schrieb: > This seems to work but not how I'd expect. Here's a summary:
>
> tls_verify_hosts = *
> tls_verify_certificates = /some/file/with/certs.pem
>
> If certs.pem contains the client certificate and my root certificate,
> exim accepts. (apparently correct).
correct.
> If certs.pem contains the client certificate only, exim rejects as it
> can't verify the certificate (correct).
I would consider that wrong. Since the file contains the client
certificate and as such you consider it trusted, verification should
succeed.
> If certs.pm contains _only_ the root certificate, exim accepts! (wrong?)
If exim can build up a certificate chain from the certificate(s)
presented by the client up to the root certificate, then the result you
witness is correct.
After all, in a PKI context, you don't want to configure thousands of
client certificates as trusted, but only a few CA certificates, and by
doing so, you automatically trust all certificates issued by such a CA.
If you don't want to automatically trust all certificates issued by the
CA, consider creating a private CA yourself and issuing certificates
only to those clients you want to allow to your system.