On 2010-11-23 at 15:43 -0500, Phil Pennock wrote:
> Okay, your question as phrased was entirely about using client
> certificates.
>
> Yes, you can have Exim act as the server-side, verifying client certs
> based on a CA. The documentation is not entirely clear on this, I've
> made a note to clarify things.
http://git.exim.org/exim.git/commit/6b8e6cb23ce5cc39a83c7fd0a373c79953351fec
Added to the spec definition of tls_verify_certificates in the main
section:
+These certificates should be for the certificate authorities trusted, rather
+than the public cert of individual clients. With both OpenSSL and GnuTLS, if
+the value is a file then the certificates are sent by Exim as a server to
+connecting clients, defining the list of accepted certificate authorities.
+Thus the values defined should be considered public data. To avoid this,
+use OpenSSL with a directory.
-Phil