Re: [exim] TLS authentication

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] TLS authentication
On Thu, Feb 16, 2023 at 08:18:46PM -0800, Ian Zimmerman via Exim-users wrote:

> An excellent suggestion, thanks. I think I got stuck in this unproductive
> (it seems) rut of authentication by verification because of two things:
>
> - not immediately obvious how to *compute* the checksum to match in
> the first place. I don't expect it's just the checksum over the pem
> file, is it?


No, PEM is not suitably canonical, for that you'd want the ASN.1 DER
form of the public key (or full certificate, whichever you prefer).

> - the documentation for the md5 (and sha1) expansion operators is cryptic:
>
>     If the string is a single variable of type certificate, returns the
>     MD5 hash fingerprint of the certificate.


MD5 is deprecated, ideally Exim also support sha256 in the same role.
The hash should be computed over the DER form.

> what is a "variable of type certificate" in exim's proudly unityped
> macro language?


I am a Postfix maintainer, mostly lurking on this list, except when it
comes to TLS-related or especially DANE-related issues. So can't answer
anything about Exim variables. On the command-line, to extract the public
key and/or certificate digests:

    # key digest
    $ openssl x509 -in cert.pem -pubkey -noout |
        openssl pkey -pubin -outform DER |
            openssl dgst -sha256 -binary |
                xxd -p -c32


    # cert digest
    $ openssl x509 -in cert.pem -outform DER |
        openssl dgst -sha256 -binary |
            xxd -p -c32


-- 
    VIktor.