Autor: exim-users Data: Para: exim-users Assunto: Re: [exim] Exim accepting any signed cert as verified even when not
listed in tls_verify_certificates?
Hi Leon,
Leon Verrall schrieb: > exim-users@??? wrote:
>> Hi Leon,
>>
>> without knowing GNUTLS, here's my 2 cents from a PKI perspective.
>>
>> The tls_verify_certificates file contains your trust anchors. That
>> means, that exim needs to build up a certificate chain from the
>> certificate(s) presented by the client up to a certificate contained in
>> this file. Once exim can do so, and the rest of the certificate
>> verification process succeeds, the overall verification is successful.
>
>>> If certs.pem contains the client certificate only, exim rejects as it
>>> can't verify the certificate (correct).
>> I would consider that wrong. Since the file contains the client
>> certificate and as such you consider it trusted, verification should
>> succeed.
>
> This can't be right. certs.pem doesn't contain the root certificate.
> Exim can't verify the cert as it has no knowledge of who it's signed by.
> The documentation explicitly states that you have to be able to get
> back through the chain to the root.
as I said, I don't know about implementation details, how things work in
gnutls neither in exim. I can only give you the theories, how things
should be.
Before you start your verification process, you have to build up the
certificate chain up to a point of trust. Whether that is a self signed
root ca certificate, an intermediary ca certificate or a client
certificate doesn't matter. You trust it, and that's what counts. Once
you did so, the verification process starts. If you can't build up the
certificate chain to a point of trust, there's no need to do any
cryptographic verification calculation, because the outcome fails
anyway. Of course, if you want to check for certificate revocation,
things get more complicated, and you always have to build up the whole
certificate chain.
How things work in exim with gnutls you have to find out yourself. But
once you know the theory, things are easier to understand. From what you
told us so far, the combination of exim and gnutls seems to not allow
you to configure a client certificate as trusted. The rest is as expected.