Hi,
as I saw now, the subject is confusing. I changed it.
And made the long story shorter.
(Originally I wanted to complain about loading the
default CAs, but now it's documented at least.)
Heiko Schlittermann <hs@???> (Di 25 Nov 2014 00:20:55 CET):
…
> unset:: With tls_verify_certificates not mentioned (as above) I get
> LOG: Exim configuration error: tls_verify_hosts is set, but tls_verify_certificates is not set
>
> empty string:: With "tls_verify_certificates =", I get
> LOG: Verified: 0
> LOG: Peer dn:
>
> forced failure:: With "tls_verify_cerificates = ${if eq{a}{b}{foo}fail} I get
> LOG: Verified: 0
> LOG: Peer dn:
These two lines should behave the same way:
# tls_verify_certificates = // not set
tls_verify_certificates = ${if eq{a}{b}{CA}fail} // forced failure
--> depending on tls_verify_host a configuration error
And these lines should behave the same way
tls_verify_certificates = // empty string
tls_verify_certificates = ${if eq{a}{b}{CA}} // empty string
--> always a valid configuration, but probably no verification
success
All other settings should load the trust store for verification.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
gnupg fingerprint: 9288 F17D BBF9 9625 5ABC 285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B)-
