Tried GnuTLS and guess what? GnuTLS code keeps peercert & peerdn defined
for invalid certificates!
So, this is not a feature - this is a bug fix.
>> - Doesn't do anything for GnuTLS builds
Not needed. GnuTLS already works the same way.
>> - Wastefully dups every link in a CA-anchored chain
Fixed (X509_free).
>> - Depends on undocumented behaviour of OpenSSL; that
>> the verify callback will always be called for every certificate
>> chain element, including when a nonterminal certificate
>> does not verify
The behavior is actually already documented. Perhaps it wasn't before.
>> - Does not work for DANE-anchored chains
Questionable. Will see when this functionality will be implemented in
the OpenSSL.
>> - Needs documentation
No need docs change - everything now works according the docs.
> When the verify callback unconditionally
> returns "1" (continue with handshake) even when "ok == 0", then
> every element of the certificate chain will be passed to the verify
> callback (at least once). This should also be true for DANE.
True.
So, please try my next pull request:
https://github.com/Exim/exim/pull/25
