Re: [exim-dev] tls server certs

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJeremy Harris at <-
 
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
Subject: Re: [exim-dev] tls server certs
Further thinking and offline discussion on this:

On 04/08/14 19:10, Jeremy Harris wrote:
> The current exim OpenSSL build takes the "verify" bundle
> specified by global "tls_verify_certificates" and (presumably
> only if if can find a match?) decorates the server cert
> specified by global "tls_certificate" to give (in my
> testing - testcase 5760) a full certificate chain.

(meaning, the whole cert chain on the wire -
in this testcase: CA-root, CA-signing, server)

While not incorrect from a wire-protocol point of view,
this *is* something that needs fixing in Exim as it
impair our ability to test some scenarios of certificate use.

Unfortunately OpenSSL being "helpful" makes it quite difficult
to separate the controllability of the server actions and
client actions.

> The exim GnuTLS build does not do this; it
> does the simple thing.

(meaning, only the server cert on the wire)

... and this is wrong, but it's an incorrect configuration
of Exim as used by the testsuite case. Assuming the testcase
is intended to use the common case of CA-based certs it
should be configured with the server having (and sending)
a bundle of "CA signing cert" + "server cert", and the client
having *only* the "CA root cert".

I need to revisit the testsuite cert generation package, and
assorted testcase configs.
--
Cheers,
Jeremy


This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 1516] New: SMTPUTF8 Extension for Internationalised Email Addresses[exim-dev] [Bug 1509] Mssing support for EXPERIMENTAL_DSN spool file extension->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)