Autor: Jeremy Harris Datum: To: exim-users Betreff: Re: [exim] Server offering *all* certificates
On 29/03/2019 13:44, Richard Jones via Exim-users wrote: > On Mar 29, Jeremy Harris via Exim-users wrote
>> You are presumably setting up to request client certs (this is the CAs
>> list that you'll be verifying client certs against). The idea is that
>> the server tells the client what authorities might be acceptable, so
>> that the client can pick among several client certs it might have
>> available for presentation.
>>
>> There's a hint in the docs that you can subvert that by using
>> (with OpenSSL or with recent GnuTLS) a directory full of certs
>> for tls_verify_certificates.
>>
>>
>> Of course, if you're not planning on using client certs, you don't
>> need any of this.
>
> I was hoping to be able to validate them, yes. It just seems overkill to
> also offer every root CA installed.
>
> If it's a choice of one cert or all, then clearly this isn't the end of
> the world, and thanks!
Since you say "also"... if you're adding a private CA _and_ you
can rely on this set of clients using some reliably-different
(to the hoi-polloi) SNI - you could make the expansion
depend on the presented SNI. See section 10 in the TLS chapter.
--
Cheers,
Jeremy