[exim-dev] [Bug 1003] Extended (client) certificate verifica…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Phil Pennock
Datum:  
To: exim-dev
Betreff: [exim-dev] [Bug 1003] Extended (client) certificate verification in ACL
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1003

Phil Pennock <pdp@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pdp@???
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID





--- Comment #1 from Phil Pennock <pdp@???> 2010-06-28 18:57:39 ---
To limit which Certificate Authority can be used to sign *client* certificates
as presented to Exim, you use the tls_verify_certificates option, which is an
expanded string so can depend upon other variables.

There's no reason to use global lists of certificate authorities for this. You
use your own private CA.

This is separate from tls_verify_certificates used on an smtp Transport, to
control which CAs can sign server certs when Exim is the client.

So to accomplish your X-Warning case, you'd use tls_try_verify_hosts =
<whatever> instead of tls_verify_hosts. Then you can check
$tls_certificate_verified to implement this header addition.

Please ask user-support questions on exim-users@???.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email