[exim-dev] [Bug 1003] Extended (client) certificate verifica…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1003] Extended (client) certificate verification in ACL
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1003

Phil Pennock <pdp@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pdp@???
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID





--- Comment #1 from Phil Pennock <pdp@???> 2010-06-28 18:57:39 ---
To limit which Certificate Authority can be used to sign *client* certificates
as presented to Exim, you use the tls_verify_certificates option, which is an
expanded string so can depend upon other variables.

There's no reason to use global lists of certificate authorities for this. You
use your own private CA.

This is separate from tls_verify_certificates used on an smtp Transport, to
control which CAs can sign server certs when Exim is the client.

So to accomplish your X-Warning case, you'd use tls_try_verify_hosts =
<whatever> instead of tls_verify_hosts. Then you can check
$tls_certificate_verified to implement this header addition.

Please ask user-support questions on exim-users@???.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email