Re: [exim] Client Certificate Authentication

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Matthias-Christian Ott, exim-users
Old-Topics: Re: [exim] Client Certificate Authentication
Subject: Re: [exim] Client Certificate Authentication
On 2010-11-23 at 15:43 -0500, Phil Pennock wrote:
> Okay, your question as phrased was entirely about using client
> certificates.
>
> Yes, you can have Exim act as the server-side, verifying client certs
> based on a CA. The documentation is not entirely clear on this, I've
> made a note to clarify things.


http://git.exim.org/exim.git/commit/6b8e6cb23ce5cc39a83c7fd0a373c79953351fec

Added to the spec definition of tls_verify_certificates in the main
section:

+These certificates should be for the certificate authorities trusted, rather
+than the public cert of individual clients. With both OpenSSL and GnuTLS, if
+the value is a file then the certificates are sent by Exim as a server to
+connecting clients, defining the list of accepted certificate authorities.
+Thus the values defined should be considered public data. To avoid this,
+use OpenSSL with a directory.

-Phil