Auteur: Jeremy Harris Datum: Aan: exim-dev Onderwerp: Re: [exim-dev] tls_in_peerdn/tls_in_peercert for unverified
certificate
On 26/12/14 00:44, Viktor Dukhovni wrote: > On Thu, Dec 25, 2014 at 09:45:42PM +0000, Jeremy Harris wrote:
>> - Doesn't do anything for GnuTLS builds
>> - Wastefully dups every link in a CA-anchored chain
>> - Depends on undocumented behaviour of OpenSSL; that
>> the verify callback will always be called for every certificate
>> chain element, including when a nonterminal certificate
>> does not verify
>> - Does not work for DANE-anchored chains
>> - Needs documentation
>
> This does not sound right.
Which part?
> When the verify callback unconditionally
> returns "1" (continue with handshake) even when "ok == 0", then
> every element of the certificate chain will be passed to the verify
> callback (at least once).
Reference?
> This should also be true for DANE.
You're not looking at his code, which did not appear
in the DANE verification path.
> Get in touch off-list if you're seeing something else. Postfix
> always completes the handshake, and gracefully disconnects (QUIT)
> if the connection is less secure than desired.