[exim-dev] tls_verify_certificates loads the default CA list

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Heiko Schlittermann
Ημερομηνία:  
Προς: exim-dev
Καινούρια Θέματα: [exim-dev] tls_verify_certificates forced failure vs. empty string (was: tls_verify_certificates loads the default CA list)
Αντικείμενο: [exim-dev] tls_verify_certificates loads the default CA list
Hello,

I ran into in issue regarding the certifiate verification.

Exim is the server, Swaks is (for testing purpose) the client.

The spec:

    +-----------------------+---------+-------------+--------------+
    |tls_verify_certificates|Use: main|Type: string*|Default: unset|
    +-----------------------+---------+-------------+--------------+


    The value of this option is expanded, and must then be the absolute path to a
    file containing permitted certificates for clients that match tls_verify_hosts
    or tls_try_verify_hosts. 
    …
    A forced expansion failure or setting to an empty string is equivalent to being
    unset.


I believe the spec does not match the behaviour.

For demonstration purpose I've stripped down the configuration and I'm
testing it using a recent swaks --tls-cert … --tls-key … --pipe …

    ,--
    |acl_smtp_rcpt = acl_check_rcpt
    |
    |tls_advertise_hosts = *
    |tls_certificate     = $config_dir/crt.pem
    |tls_privatekey      = $config_dir/key.pem
    |
    |tls_verify_hosts = *
    |# tls_verify_certificates = 
    |
    |begin acl
    |    acl_check_rcpt:
    |        warn    logwrite = Verified: $tls_in_certificate_verified
    |                logwrite = Peer DN: $tls_in_peerdn
    |        accept
    `--



unset:: With tls_verify_certificates not mentioned (as above) I get
    LOG: Exim configuration error: tls_verify_hosts is set, but tls_verify_certificates is not set


empty string:: With "tls_verify_certificates =", I get 
    LOG: Verified: 0
    LOG: Peer dn: 


forced failure:: With "tls_verify_cerificates = ${if eq{a}{b}{foo}fail} I get
    LOG: Verified: 0
    LOG: Peer dn: 


(( non empty string:: With "tls_verify_certificates = /dev/null" this /dev/null gets
added to the default list of certs in the CA store: This works as
documented:
    LOG: Verified: 1
    LOG: Peer dn: /C=DE/ST=Saxony/O=schlittermann -- internet & unix support/CN=jumper.schlittermann.de


This is another issue I'll discuss in a next message.
))

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-