Autor: Leon Verrall Data: A: exim-users CC: exim-users Assumpte: Re: [exim] Exim accepting any signed cert as verified even when not
listed in tls_verify_certificates?
exim-users@??? wrote: > Hi Leon,
>
> without knowing GNUTLS, here's my 2 cents from a PKI perspective.
>
> The tls_verify_certificates file contains your trust anchors. That
> means, that exim needs to build up a certificate chain from the
> certificate(s) presented by the client up to a certificate contained in
> this file. Once exim can do so, and the rest of the certificate
> verification process succeeds, the overall verification is successful. >> If certs.pem contains the client certificate only, exim rejects as it
>> can't verify the certificate (correct).
>
> I would consider that wrong. Since the file contains the client
> certificate and as such you consider it trusted, verification should
> succeed.
This can't be right. certs.pem doesn't contain the root certificate.
Exim can't verify the cert as it has no knowledge of who it's signed by.
The documentation explicitly states that you have to be able to get
back through the chain to the root.
> If you don't want to automatically trust all certificates issued by the
> CA, consider creating a private CA yourself and issuing certificates
> only to those clients you want to allow to your system.
Sorry if I wasn't clear, that's exactly what I have. The root
certificate is the root of _my_ CA.