Hello,
I believe the current situation about the various "non" values of
tls_verify_certificates (OpenSSL) is confusing. At least for me…
I propose the following:
|tls_verify_certificates|Use: main|...
|tls_verify_certificates|Use: smtp|...
…
A forced expansion failure is equivalent to not setting this option at all.
That is, no certificate will be loaded at all. It's permitted to set this
option to an empty string, it's equivalent to setting it to /dev/null. It loads
no certificate. (But, depending on tls_load_default_certificates, the default
certificates still may be loaded.)¹
IMHO differentiating between forced failure and an empty string is
useful in situation where you want to avoid verification completly. And
it follows the same logic as the having a forced failure in an ACL
condition.
I've patched tls-openssl.c accordingly already. How GnuTLS behaves I do
not know. (Testing is more difficult since swaks --pipe currently does not
co-operate with Exim linked to GnuTLS)
¹) needs to be implemented.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
gnupg fingerprint: 9288 F17D BBF9 9625 5ABC 285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B)-
