Re: [exim] Problem with tls_certificate and multiple domains

Góra strony
Delete this message
Reply to this message
Autor: Arkadiusz Miśkiewicz
Data:  
Dla: exim-users
Temat: Re: [exim] Problem with tls_certificate and multiple domains
On 16/10/2019 07:58, Heiko Schlittermann via Exim-users wrote:
> Heiko Schlittermann via Exim-users <exim-users@???> (Mi 16 Okt 2019 06:48:25 CEST):
>>     TLS_DOMAIN = ${if def:tls_in_sni {${lc:tls_in_sni}}{example.com}}

>>
>>     tls_certificate = /etc/exim/private/certs/TLS_DOMAIN/cert.pem
>>     tls_privatekey  = /etc/exim/private/certs/TLS_DOMAIN/privkey.pem

>>
>> You need a "fallback", as there is a fair chance, that the client
>> doesn't send you a TLS SNI.
>
> The above is nonsens, missing '$' and breaks if $tls_in_sni doesn't
> match an existing file. Sorry for that. Now, after a cup of coffee:
>
> That's what I have in my working configuration.
>
> TLS_SNI = ${lc:${extract{-1}{/}{$tls_in_sni}}}
>
> tls_certificate = ${if exists{/var/lib/exim4/TLS_SNI-ssl.pem}\
>     {/var/lib/exim4/TLS_SNI-ssl.pem}\
>     {/var/lib/exim4/ssl.schlittermann.de-ssl.pem}}

>
> But now I'm asking myself, if I can be sure that $tls_in_sni doesn't
> contain ../../../ and what impact this could have. So, probably in a
> first step you should sanitize the $tls_in_sni.


You can use sha1 (or other) hashes as filenames. That makes the whole
problem go away but requires tool to setup filename with hashes.

tls_privatekey = ${if
exists{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/mail/exim-default-key.pem}}
tls_certificate = ${if
exists{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/mail/exim-default-cert.pem}}



--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )