[exim-dev] tls_verify_certificates: unset vs. forced failure…

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-dev
Temat: [exim-dev] tls_verify_certificates: unset vs. forced failure vs. empty
Hello,

I believe the current situation about the various "non" values of
tls_verify_certificates (OpenSSL) is confusing. At least for me…


I propose the following:

    |tls_verify_certificates|Use: main|...
    |tls_verify_certificates|Use: smtp|...




    A forced expansion failure is equivalent to not setting this option at all.
    That is, no certificate will be loaded at all. It's permitted to set this
    option to an empty string, it's equivalent to setting it to /dev/null. It loads
    no certificate. (But, depending on tls_load_default_certificates, the default
    certificates still may be loaded.)¹


IMHO differentiating between forced failure and an empty string is
useful in situation where you want to avoid verification completly. And
it follows the same logic as the having a forced failure in an ACL
condition.

I've patched tls-openssl.c accordingly already. How GnuTLS behaves I do
not know. (Testing is more difficult since swaks --pipe currently does not
co-operate with Exim linked to GnuTLS)

¹) needs to be implemented.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-