[exim-dev] [Bug 1170] New: SSL fingerprint should be made ac…

Top Page
Delete this message
Reply to this message
Author: Bjoern Jacke
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 1170] SSL fingerprint should be made accessible, [exim-dev] [Bug 1170] SSL fingerprint should be made accessible, [exim-dev] [Bug 1170] SSL fingerprint should be made accessible, [exim-dev] [Bug 1170] SSL fingerprint should be made accessible, [exim-dev] [Bug 1170] SSL fingerprint should be made accessible, [exim-dev] [Bug 1170] SSL fingerprint should be made accessible, [exim-dev] [Bug 1170] SSL fingerprint should be made accessible, [exim-dev] [Bug 1170] SSL fingerprint should be made accessible, [exim-dev] [Bug 1170] SSL fingerprint should be made accessible, [exim-dev] [Bug 1170] SSL fingerprint should be made accessible, [exim-dev] [Bug 1170] SSL fingerprint should be made accessible
Subject: [exim-dev] [Bug 1170] New: SSL fingerprint should be made accessible
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1170
           Summary: SSL fingerprint should be made accessible
           Product: Exim
           Version: 4.77
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: wishlist
          Priority: medium
         Component: TLS
        AssignedTo: nigel@???
        ReportedBy: bjoern@???
                CC: exim-dev@???



currently it is not possible with Exim to tell it what a certain domain's mail
server's SSL fingerprint is. Today it is only possible to trust servers by
trusting one or multiple CAs, that have signed their certificates.

For security resons it would be *very* good if you could tell exim that the
mail server mail.example.com has a certail SSL fingerprint and that only *that*
fingerprint is the right one for that domain. This is also important to prevent
attacks from people who got spurious access to one of the trusted CAs.

Postfix has very advanced tls support, here is the documentation of the above
mentioned fingerprint checking in postfix:
http://www.postfix.org/TLS_README.html#client_tls_fprint
maybe you can get some inspirations from that ...


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email