Re: [exim] Verifying cert CN/SAN against hostname

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Jeremy Harris
Datum:  
To: exim-users
Betreff: Re: [exim] Verifying cert CN/SAN against hostname
On 16/12/14 23:24, Tristan Schmelcher wrote:
> When using TLS certificate verification on outgoing SMTP, is it
> possible to enable verification of the remote server certificate's
> Common Name or Subject Alternate Name against the server hostname
> configured in the route_list ?


Yes, if you compile with EXPERIMENTAL_CERTNAMES or are running 4.next .
Or, with some effort, compiled with EXPERIMENTAL_EVENT and a bunch
of custom event-handler on tls:cert using certificate extractors.

> It seems that even when
> tls_verify_certificates is set there is no verification of the CN/SAN.


Lacking any of the above, correct.

> I am thinking there may be a way to achieve this verification with
> $tls_out_peerdn but it's not clear to me how. Has anyone done this
> before? My server requires authentication so I would like to do this
> to prevent a MitM attack from stealing my auth credentials.


The information isn't there in $tls_out_peerdn in the SAN case.
--
Cheers,
Jeremy