Re: [exim] tls_verify_hostname

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Jeremy Harris
CC: exim-users
Subject: Re: [exim] tls_verify_hostname
On 2012-04-16 at 21:51 +0100, Jeremy Harris wrote:
> On 2012-04-16 07:52, Phil Pennock wrote:
> > we'd better have DNSSEC
> > support in Exim
>
> Also a good notion. Wishlist item, or should it be handled by some
> other software component on the system (nscd, etc.)?


Should be able to set it as a resolver client option and check bits in
the result, leaving it up to the administrator to install a verifying
resolver. That way we avoid implementing a lot of logic which breaks
with new algorithms, bug-fixes etc, and which is prone to security
implications. We just delegate. The admin can install "unbound" or
configure "bind" to verify, or whatever.

> > I suspect that
> > we'd be better off with DN parse routines exposed as expansion
> > operators (or items), which would help with LDAP too.
>
> That would work. It's not something I know about; does anyone
> else work in that area who's prepared to take it on?


I didn't look but assumed that the actual parse logic was necessarily in
the original patch, to be able to get CN out.

> > TLS debugging: I'm all in favour of more detailed information in debug
> > logs.
>
> The implication is that it got lost and ought to
> be accepted, as opposed to wasn't found useful?


I wasn't an Exim developer in 2002. I have no context, beyond what I
saw in the thread, which suggests that things simply got lost.

-Phil