Re: [exim] Server offering *all* certificates

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Richard Jones at <-
MMPhil Pennock at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Server offering *all* certificates
On 29/03/2019 13:44, Richard Jones via Exim-users wrote:
> On Mar 29, Jeremy Harris via Exim-users wrote
>> You are presumably setting up to request client certs (this is the CAs
>> list that you'll be verifying client certs against). The idea is that
>> the server tells the client what authorities might be acceptable, so
>> that the client can pick among several client certs it might have
>> available for presentation.
>>
>> There's a hint in the docs that you can subvert that by using
>> (with OpenSSL or with recent GnuTLS) a directory full of certs
>> for tls_verify_certificates.
>>
>>
>> Of course, if you're not planning on using client certs, you don't
>> need any of this.
>
> I was hoping to be able to validate them, yes. It just seems overkill to
> also offer every root CA installed.
>
> If it's a choice of one cert or all, then clearly this isn't the end of
> the world, and thanks!

Since you say "also"... if you're adding a private CA _and_ you
can rely on this set of clients using some reliably-different
(to the hoi-polloi) SNI - you could make the expansion
depend on the presented SNI. See section 10 in the TLS chapter.
--
Cheers,
Jeremy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Server offering *all* certificatesRe: [exim] local_scan_path change ?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)