[exim-dev] [Bug 1170] SSL fingerprint should be made accessi…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 1170] New: SSL fingerprint should be made accessible
Subject: [exim-dev] [Bug 1170] SSL fingerprint should be made accessible
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1170




--- Comment #5 from Jeremy Harris <jgh146exb@???> 2014-05-09 15:37:48 ---
The above commit gets us partway there: we have observability
(though as Bjoern notes, stronger hashes would be good).

On the server side we can do enforcement in any post-TLS-startup ACL
(meaning acl_smtp_helo, so long as you check for def:tls_in_cipher).
There's a security argument for being able to reject the TLS startup
negotiation
but this would require another ACL (acl_smtp_tls ?)

As a client we cannot do enforcement yet; this seems to need a TLS-verification
transport option, returning boolean to accept/deny the connection.


The possibilities here are couched in terms of "tools for the box", allowing
flexibility for meeting not-yet-requested needs. There is an alternate view
that such are too much rope to give the consumer, for they will get it wrong.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email