[exim-dev] tls_verify_certificates forced failure vs. empty …

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Heiko Schlittermann
日付:  
To: exim-dev
古いトピック: [exim-dev] tls_verify_certificates loads the default CA list
題目: [exim-dev] tls_verify_certificates forced failure vs. empty string (was: tls_verify_certificates loads the default CA list)
Hi,

as I saw now, the subject is confusing. I changed it.
And made the long story shorter.

(Originally I wanted to complain about loading the
default CAs, but now it's documented at least.)

Heiko Schlittermann <hs@???> (Di 25 Nov 2014 00:20:55 CET):

> unset:: With tls_verify_certificates not mentioned (as above) I get
>     LOG: Exim configuration error: tls_verify_hosts is set, but tls_verify_certificates is not set

>
> empty string:: With "tls_verify_certificates =", I get 
>     LOG: Verified: 0
>     LOG: Peer dn: 

>
> forced failure:: With "tls_verify_cerificates = ${if eq{a}{b}{foo}fail} I get
>     LOG: Verified: 0
>     LOG: Peer dn: 



These two lines should behave the same way:

    # tls_verify_certificates =                         // not set
    tls_verify_certificates = ${if eq{a}{b}{CA}fail}    // forced failure


    --> depending on tls_verify_host a configuration error


And these lines should behave the same way

    tls_verify_certificates =                       // empty string
    tls_verify_certificates = ${if eq{a}{b}{CA}}    // empty string


    --> always a valid configuration, but probably no verification
        success


All other settings should load the trust store for verification.


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-