Re: [exim-dev] tls_in_peerdn/tls_in_peercert for unverified …

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] tls_in_peerdn/tls_in_peercert for unverified certificate
On Thu, Dec 25, 2014 at 09:45:42PM +0000, Jeremy Harris wrote:

> On 25/12/14 21:19, Roman Rybalko wrote:
> > Please, check my pull request: https://github.com/Exim/exim/pull/24
>
> - Doesn't do anything for GnuTLS builds
> - Wastefully dups every link in a CA-anchored chain
> - Depends on undocumented behaviour of OpenSSL; that
> the verify callback will always be called for every certificate
> chain element, including when a nonterminal certificate
> does not verify
> - Does not work for DANE-anchored chains
> - Needs documentation


This does not sound right. When the verify callback unconditionally
returns "1" (continue with handshake) even when "ok == 0", then
every element of the certificate chain will be passed to the verify
callback (at least once). This should also be true for DANE.

Get in touch off-list if you're seeing something else. Postfix
always completes the handshake, and gracefully disconnects (QUIT)
if the connection is less secure than desired.

-- 
    Viktor.