[exim] Server offering *all* certificates

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Richard Jones
Date:  
À: Exim
Sujet: [exim] Server offering *all* certificates
Hi,

As per the Exim and Debian documentation and defaults, I've set the
following:

MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
    {/etc/ssl/certs/ca-certificates.crt}\
    {/dev/null}}
.endif
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES


However when I connect to my server over StartTLS, I get offered every
certificate in that path. e.g.

grey-area:/etc/exim4 # openssl s_client -connect localhost:25 -starttls smtp
[...]
---
Acceptable client certificate CA names
CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES
C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
C = US, O = AffirmTrust, CN = AffirmTrust Commercial

[...]

= US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root Certification Authority RSA
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor ECA-1
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor RootCert CA-1
C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor RootCert CA-2

Is this the correct way to configure things? It seems like quite a lot
of unnecessary data to be sent with each and almost every new
connection...

Thanks!

Richard

--
junix.systems/privacy