Re: [exim] Verifying cert CN/SAN against hostname

On 16/12/14 23:24, Tristan Schmelcher wrote:
> When using TLS certificate verification on outgoing SMTP, is it
> possible to enable verification of the remote server certificate's
> Common Name or Subject Alternate Name against the server hostname
> configured in the route_list ?

Yes, if you compile with EXPERIMENTAL_CERTNAMES or are running 4.next .
Or, with some effort, compiled with EXPERIMENTAL_EVENT and a bunch
of custom event-handler on tls:cert using certificate extractors.

> It seems that even when
> tls_verify_certificates is set there is no verification of the CN/SAN.

Lacking any of the above, correct.

> I am thinking there may be a way to achieve this verification with
> $tls_out_peerdn but it's not clear to me how. Has anyone done this
> before? My server requires authentication so I would like to do this
> to prevent a MitM attack from stealing my auth credentials.

The information isn't there in $tls_out_peerdn in the SAN case.
--
Cheers,
Jeremy