Re: [exim] SNI Support

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: John Burnham
CC: exim-users@exim.org >> \"<exim-users@exim.org>\"
Subject: Re: [exim] SNI Support
On 2013-10-10 at 16:17 +0100, John Burnham wrote:
> As it says in the docs:


> Great care should be taken to deal with matters of case, various injection attacks in the string (../ or SQL), and ensuring that a valid filename can always be referenced; it is important to remember that $tls_sni is arbitrary unverified data provided prior to authentication.
>
> ---
> So you could have
> Tls_privatekey = /etc/exim/keys/${tls_sni}
> Tls_certificate = /etc/exim/certs/${tls_sni}
> Or something fancier with lookups and defaults and all that sort of thing (and that does some sanity checking of the contents of $tls_sni - especially if you're using a SQL based lookup).


Note that the SNI field in TLS is just a text string, so could easily be
"../../../../../etc/passwd".

Regards,
-Phil