On 29/03/2019 12:08, Richard Jones via Exim-users wrote:
> As per the Exim and Debian documentation and defaults, I've set the
> following:
>
> MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
> {/etc/ssl/certs/ca-certificates.crt}\
> {/dev/null}}
> .endif
> tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
>
> However when I connect to my server over StartTLS, I get offered every
> certificate in that path.
You are presumably setting up to request client certs (this is the CAs
list that you'll be verifying client certs against). The idea is that
the server tells the client what authorities might be acceptable, so
that the client can pick among several client certs it might have
available for presentation.
There's a hint in the docs that you can subvert that by using
(with OpenSSL or with recent GnuTLS) a directory full of certs
for tls_verify_certificates.
Of course, if you're not planning on using client certs, you don't
need any of this.
--
Cheers,
Jeremy
