Author: Mike Cardwell Date: To: exim-users Subject: Re: [exim] Exim accepting any signed cert as verified even when not
listed in tls_verify_certificates?
exim-users@??? wrote:
>>> without knowing GNUTLS, here's my 2 cents from a PKI perspective.
>>>
>>> The tls_verify_certificates file contains your trust anchors. That
>>> means, that exim needs to build up a certificate chain from the
>>> certificate(s) presented by the client up to a certificate contained in
>>> this file. Once exim can do so, and the rest of the certificate
>>> verification process succeeds, the overall verification is successful.
>>>> If certs.pem contains the client certificate only, exim rejects as it
>>>> can't verify the certificate (correct).
>>> I would consider that wrong. Since the file contains the client
>>> certificate and as such you consider it trusted, verification should
>>> succeed.
>> This can't be right. certs.pem doesn't contain the root certificate.
>> Exim can't verify the cert as it has no knowledge of who it's signed by.
>> The documentation explicitly states that you have to be able to get
>> back through the chain to the root.
>
> as I said, I don't know about implementation details, how things work in
> gnutls neither in exim. I can only give you the theories, how things
> should be.
Just to clarify. This is the same behaviour when exim is compiled
against openssl rather than gnutls.