[exim-dev] tls server certs

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
Subject: [exim-dev] tls server certs
The current exim OpenSSL build takes the "verify" bundle
specified by global "tls_verify_certificates" and (presumably
only if if can find a match?) decorates the server cert
specified by global "tls_certificate" to give (in my
testing - testcase 5760) a full certificate chain.

No particular harm ensues; I only saw this due
to the expanded version of TPDA I'm working on
(it has a tls:cert event, raised once per cert
in the server chain seen by a client) -
but this does seem to unfortunately conflate
the meanings of the configuration options.

You can confirm the wire traffic using wireshark.

The exim GnuTLS build does not do this; it
does the simple thing.


The relevant docs seem to be:

https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#
"When building its own certificate chain, an OpenSSL client/server will
try to fill in missing certificates from CAfile/CApath, if the
certificate chain was not explicitly specified"

https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html
"If additional certificates are needed to complete the chain during the
TLS negotiation, CA certificates are additionally looked up in the
locations of trusted CA certificates"



We call SSL_CTX_load_verify_locations() in setup_certs() using
tls_verify_certificates.

We call SSL_CTX_use_certificate_chain_file() in
tls_expand_session_files() using tls_certificate -
presumably this does not count as "explicitly specified".


Any ideas? Should we bother trying to fix this?
--
Cheers,
Jeremy