Re: [exim-dev] Should we always load the default trust store…

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-dev
Subject: Re: [exim-dev] Should we always load the default trust store? (was: tls_verify_certificates forced failure vs. empty) string
On 2014-11-26 Heiko Schlittermann <hs@???> wrote:
[...]
> tls_verify_certificates seems to cause some trouble. I'm talking about
> the main config option, but I assume that everything holds for the smtp
> driver option of the same name too.


> There are two (probably only loosely related issues):


>     - The inconsistent results of not setting this option at all, 
>       having a forced failure, and setting it to an empty value. 
>       This could be talked about in another thread.


>     - The confusing influence on loading a default trust store.
>       This I'm talking about here and now …

[...]

Hello,

just to add another piece of the puzzle: Last time I checked
exim/openssl and exim/gnutls had a major difference in behavior with
respect to tls_(try)verify_certificates: exim/GnuTLS would send the
list of acceptable TLS certificates in the SSL handshake. If the list
is long enough, this breaks interconnectivity.

I do not know whether the code has changed since, though.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'