The current exim OpenSSL build takes the "verify" bundle
specified by global "tls_verify_certificates" and (presumably
only if if can find a match?) decorates the server cert
specified by global "tls_certificate" to give (in my
testing - testcase 5760) a full certificate chain.
No particular harm ensues; I only saw this due
to the expanded version of TPDA I'm working on
(it has a tls:cert event, raised once per cert
in the server chain seen by a client) -
but this does seem to unfortunately conflate
the meanings of the configuration options.
You can confirm the wire traffic using wireshark.
The exim GnuTLS build does not do this; it
does the simple thing.
The relevant docs seem to be:
https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#
"When building its own certificate chain, an OpenSSL client/server will
try to fill in missing certificates from CAfile/CApath, if the
certificate chain was not explicitly specified"
https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html
"If additional certificates are needed to complete the chain during the
TLS negotiation, CA certificates are additionally looked up in the
locations of trusted CA certificates"
We call SSL_CTX_load_verify_locations() in setup_certs() using
tls_verify_certificates.
We call SSL_CTX_use_certificate_chain_file() in
tls_expand_session_files() using tls_certificate -
presumably this does not count as "explicitly specified".
Any ideas? Should we bother trying to fix this?
--
Cheers,
Jeremy
