Re: [exim-dev] tls server certs

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Jeremy Harris
Datum:  
To: exim-dev
Betreff: Re: [exim-dev] tls server certs
Further thinking and offline discussion on this:

On 04/08/14 19:10, Jeremy Harris wrote:
> The current exim OpenSSL build takes the "verify" bundle
> specified by global "tls_verify_certificates" and (presumably
> only if if can find a match?) decorates the server cert
> specified by global "tls_certificate" to give (in my
> testing - testcase 5760) a full certificate chain.


(meaning, the whole cert chain on the wire -
in this testcase: CA-root, CA-signing, server)

While not incorrect from a wire-protocol point of view,
this *is* something that needs fixing in Exim as it
impair our ability to test some scenarios of certificate use.

Unfortunately OpenSSL being "helpful" makes it quite difficult
to separate the controllability of the server actions and
client actions.

> The exim GnuTLS build does not do this; it
> does the simple thing.


(meaning, only the server cert on the wire)

... and this is wrong, but it's an incorrect configuration
of Exim as used by the testsuite case. Assuming the testcase
is intended to use the common case of CA-based certs it
should be configured with the server having (and sending)
a bundle of "CA signing cert" + "server cert", and the client
having *only* the "CA root cert".

I need to revisit the testsuite cert generation package, and
assorted testcase configs.
--
Cheers,
Jeremy