[exim] tls_try_verify_hosts vs. tls_verify_hosts

Top Page
Delete this message
Reply to this message
Author: Mario Lipinski
Date:  
To: exim-users
Subject: [exim] tls_try_verify_hosts vs. tls_verify_hosts
Hello exim-users,

I am trying to setup a smtp transport that should verify whether the
remote host presented a valid SSL certificate for the MX record of $domain.

When I set "tls_verify_hosts = *" and some other options this seems to
work well. "CV=yes" is logged and $tls_out_certificate_verified is set
to 1.
However, if I replace "tls_verify_hosts = *" with ""tls_try_verify_hosts
= *", "CV=no" is logged and $tls_out_certificate_verified is unset. It
seems that no certificate validation is performed. However, the
connections seems fine and $tls_out_peerdn looks good.
The test case was exactly the same.

I would prefer running tls_try_verify_hosts for some time and just have
some logging about the failed verification before switching to rejecting
connections (tls_verify_hosts). I assumed that tls_try_verify_hosts
should work exactly this way and consider this a bug.

Mario

--
Mit freundlichen Grüßen,
Mario Lipinski

IServ GmbH
Bültenweg 73
38106 Braunschweig

Telefon:   0531-2243666-0
Fax:       0531-2243666-9
E-Mail:    info@???
Internet:  iserv.eu


USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822
Geschäftsführer: Benjamin Heindl, Jörg Ludwig