[exim-cvs] Clarify: tls_verify_certificates is for CA certs.

Top Pagina
Delete this message
Reply to this message
Auteur: Exim Git Commits Mailing List
Datum:  
Aan: exim-cvs
Onderwerp: [exim-cvs] Clarify: tls_verify_certificates is for CA certs.
Gitweb: http://git.exim.org/exim.git/commitdiff/6b8e6cb23ce5cc39a83c7fd0a373c79953351fec
Commit:     6b8e6cb23ce5cc39a83c7fd0a373c79953351fec
Parent:     fea24b2ea4e2c2a4b77d6fb222054e32e658b227
Author:     Phil Pennock <pdp@???>
AuthorDate: Sun Jan 16 22:21:37 2011 -0500
Committer:  Phil Pennock <pdp@???>
CommitDate: Sun Jan 16 22:21:37 2011 -0500


    Clarify: tls_verify_certificates is for CA certs.


    It can be used for individual user certs but is really intended for
    CAs.  Note this, and explain that if the tls_verify_certificates value
    is a file, then the certs within are sent from the server to clients,
    thus is public data.
---
 doc/doc-docbook/spec.xfpt |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 15b3a2b..160410b 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15431,6 +15431,13 @@ are using OpenSSL, you can set &%tls_verify_certificates%& to the name of a
directory containing certificate files. This does not work with GnuTLS; the
option must be set to the name of a single file if you are using GnuTLS.

+These certificates should be for the certificate authorities trusted, rather
+than the public cert of individual clients. With both OpenSSL and GnuTLS, if
+the value is a file then the certificates are sent by Exim as a server to
+connecting clients, defining the list of accepted certificate authorities.
+Thus the values defined should be considered public data. To avoid this,
+use OpenSSL with a directory.
+

.option tls_verify_hosts main "host list&!!" unset
.cindex "TLS" "client certificate verification"