Author: Phil Pennock Date: To: Richard Jones CC: Jeremy Harris via Exim-users Subject: Re: [exim] Server offering *all* certificates
On 2019-03-29 at 13:44 +0000, Richard Jones via Exim-users wrote: > I was hoping to be able to validate them, yes. It just seems overkill to
> also offer every root CA installed.
>
> If it's a choice of one cert or all, then clearly this isn't the end of
> the world, and thanks!
This is a crypto library issue.
With OpenSSL, as Jeremy hints at: the behaviour depends entirely upon
whether you provide the library with "a file containing all valid certs"
or "a directory within which we can look for files matching a hash of
the certs".
If you give OpenSSL a file, then it advertises them all to the client.
If you give OpenSSL a directory (processed with c_rehash or equivalent)
then it advertises none to the client, but can verify them all.
I forget what GnuTLS does and frankly have had too good of a Friday
evening to go documentation spelunking to look it up now. :)
In both cases, the behaviour is outside of the direct control of Exim
(AFAIK) and we just expose ways of working with the libraries in their
"normal" ways. Because we're masochists like that ^W^W^W^W thought that
would be a good idea.
