Re: [exim-dev] tls_in_peerdn/tls_in_peercert for unverified …

Top Page
Delete this message
Reply to this message
Author: Roman Rybalko
Date:  
To: exim-dev
Subject: Re: [exim-dev] tls_in_peerdn/tls_in_peercert for unverified certificate
Tried GnuTLS and guess what? GnuTLS code keeps peercert & peerdn defined
for invalid certificates!
So, this is not a feature - this is a bug fix.
>> - Doesn't do anything for GnuTLS builds

Not needed. GnuTLS already works the same way.
>> - Wastefully dups every link in a CA-anchored chain

Fixed (X509_free).
>> - Depends on undocumented behaviour of OpenSSL; that
>>    the verify callback will always be called for every certificate
>>    chain element, including when a nonterminal certificate
>>    does not verify

The behavior is actually already documented. Perhaps it wasn't before.
>> - Does not work for DANE-anchored chains

Questionable. Will see when this functionality will be implemented in
the OpenSSL.
>> - Needs documentation

No need docs change - everything now works according the docs.
> When the verify callback unconditionally
> returns "1" (continue with handshake) even when "ok == 0", then
> every element of the certificate chain will be passed to the verify
> callback (at least once). This should also be true for DANE.

True.

So, please try my next pull request: https://github.com/Exim/exim/pull/25