Szerző: Jeremy Harris Dátum: Címzett: exim-users Tárgy: Re: [exim] Verifying cert CN/SAN against hostname
On 16/12/14 23:24, Tristan Schmelcher wrote: > When using TLS certificate verification on outgoing SMTP, is it
> possible to enable verification of the remote server certificate's
> Common Name or Subject Alternate Name against the server hostname
> configured in the route_list ?
Yes, if you compile with EXPERIMENTAL_CERTNAMES or are running 4.next .
Or, with some effort, compiled with EXPERIMENTAL_EVENT and a bunch
of custom event-handler on tls:cert using certificate extractors.
> It seems that even when
> tls_verify_certificates is set there is no verification of the CN/SAN.
Lacking any of the above, correct.
> I am thinking there may be a way to achieve this verification with
> $tls_out_peerdn but it's not clear to me how. Has anyone done this
> before? My server requires authentication so I would like to do this
> to prevent a MitM attack from stealing my auth credentials.
The information isn't there in $tls_out_peerdn in the SAN case.
--
Cheers,
Jeremy