Re: [exim] TLS authentication

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] TLS authentication
On Thu, Feb 16, 2023 at 09:17:51PM +0000, Jeremy Harris via Exim-users wrote:

> On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote:
> > Some applications (want to) only accept client certificates issued by a
> > dedicated non-public CA, which amounts to an authorisation server
>
> In exim usage that's a test on a certextract of the issuer of
> $tls_in_peercert, either just in ACL or as part of the
> serer_condition for an authenticator using the tls driver.
>
> For either, the TLS session has to have been accepted first.


The problem is that any root CA can issue a subCA with any subject DN it
wants. So just checking issuer names, and expecting these to uniquely
identify a private dedicated CA is not "safe".

There is no global X.500 namespace that ensures uniqueness of CA
"distinguished names", they're just made up.

So, if I can't bypass the system trust store, I would be more inclined
to check the issuer public key, not the issuer DN. That said, an
OpenSSL application can just set the environemt and get a non-default
trust store location:

    https://www.openssl.org/docs/manmaster/man3/X509_get_default_cert_dir_env.html


        const char *X509_get_default_cert_dir_env(void);
        const char *X509_get_default_cert_file_env(void);


Just set those enviroment variables (just between us friends, those
are "SSL_CERT_DIR" and "SSL_CERT_FILE") to a directory and file that
hold only the application-specific trust anchors, and the system
trust store would no longer be loaded by default. This works
for OpenSSL, can't speak to GnuTLS...

-- 
    Viktor.