Re: [exim-dev] tls_in_peerdn/tls_in_peercert for unverified …

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
Subject: Re: [exim-dev] tls_in_peerdn/tls_in_peercert for unverified certificate
On 26/12/14 00:44, Viktor Dukhovni wrote:
> On Thu, Dec 25, 2014 at 09:45:42PM +0000, Jeremy Harris wrote:
>> - Doesn't do anything for GnuTLS builds
>> - Wastefully dups every link in a CA-anchored chain
>> - Depends on undocumented behaviour of OpenSSL; that
>> the verify callback will always be called for every certificate
>> chain element, including when a nonterminal certificate
>> does not verify
>> - Does not work for DANE-anchored chains
>> - Needs documentation
>
> This does not sound right.


Which part?

> When the verify callback unconditionally
> returns "1" (continue with handshake) even when "ok == 0", then
> every element of the certificate chain will be passed to the verify
> callback (at least once).


Reference?

> This should also be true for DANE.


You're not looking at his code, which did not appear
in the DANE verification path.

> Get in touch off-list if you're seeing something else. Postfix
> always completes the handshake, and gracefully disconnects (QUIT)
> if the connection is less secure than desired.


Postfix is not relevant here.
--
Cheers,
Jeremy