Re: [exim] tls_certificate weirdness

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMPhillip Carroll at <-
..MJeremy Harris at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] tls_certificate weirdness
On 23/08/16 20:03, Phillip Carroll wrote:
> The
> fact that "tls_privatekey" must be readable by exim I presume is for
> using STARTTLS for sending messages, although the TLS error message
> about the "tls_privatekey" path occurred on a received message. (I
> questioned the need for access to the private key to receive a message,
> not considering usage in the other direction.)

The Exim code telling the OpenSSL library about the private-key is in
a routine common to both server and client initialisation.

It's a fair point; we might consider making it direction-aware to
reduce the attack surface (even though most installations will be
doing both directions).
--
Cheers,
Jeremy


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] testing evaluation of tls_certificateRe: [exim] tls_certificate weirdness->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)