Hi,
As per the Exim and Debian documentation and defaults, I've set the
following:
MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
{/etc/ssl/certs/ca-certificates.crt}\
{/dev/null}}
.endif
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
However when I connect to my server over StartTLS, I get offered every
certificate in that path. e.g.
grey-area:/etc/exim4 # openssl s_client -connect localhost:25 -starttls smtp
[...]
---
Acceptable client certificate CA names
CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES
C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
C = US, O = AffirmTrust, CN = AffirmTrust Commercial
[...]
= US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root Certification Authority RSA
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor ECA-1
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor RootCert CA-1
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor RootCert CA-2
Is this the correct way to configure things? It seems like quite a lot
of unnecessary data to be sent with each and almost every new
connection...
Thanks!
Richard
--
junix.systems/privacy
