diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-11-22 19:16:19 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-11-23 17:38:53 +0000 |
| commit | 44383db480a782c56a2195d46bea6df89e4cef3e (patch) | |
| tree | b2e5600eedb94413af3ad2503d1b3d300a3923ec /doc | |
| parent | 27df4b34b1135b0cf29b08e4d90676689b09d1ae (diff) | |
Move certificate name checking to mainline, default enabled
This is an exim client checking a server certificate.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 17 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 5 | ||||
| -rw-r--r-- | doc/doc-txt/experimental-spec.txt | 35 |
3 files changed, 20 insertions, 37 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index e86fea800..823b86dbd 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23435,7 +23435,7 @@ unknown state), opens a new one to the same host, and then tries the delivery in clear. -.option tls_try_verify_hosts smtp "host list&!! unset +.option tls_try_verify_hosts smtp "host list&!!" unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" This option gives a list of hosts for which, on encrypted connections, @@ -23448,6 +23448,19 @@ The &$tls_out_certificate_verified$& variable is set when certificate verification succeeds. +.option tls_verify_cert_hostnames smtp "host list&!!" * +.cindex "TLS" "server certificate hostname verification" +.cindex "certificate" "verification of server" +This option give a list of hosts for which, +while verifying the server certificate, +checks will be included on the host name +(note that this will generally be the result of a DNS MX lookup) +versus Subject and Subject-Alternate-Name fields. Wildcard names are permitted +limited to being the initial component of a 3-or-more component FQDN. + +There is no equivalent checking on client certificates. + + .option tls_verify_certificates smtp string&!! unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" @@ -23471,7 +23484,7 @@ if neither tls_verify_hosts nor tls_try_verify_hosts are set and certificate verification fails the TLS connection is closed. -.option tls_verify_hosts smtp "host list&!! unset +.option tls_verify_hosts smtp "host list&!!" unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" This option gives a list of hosts for which. on encrypted connections, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 3963567e2..abac469c6 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -12,6 +12,11 @@ JH/02 The smtp transport option "multi_domain" is now expanded. JH/03 The smtp transport now requests PRDR by default, if the server offers it. +JH/04 Certificate name checking on server certificates, when exim is a client, + is now done by default. The transport option tls_verify_cert_hostname + can be used to disable this per-host. The build option + EXPERIMENTAL_CERTNAMES is withdrawn. + Exim version 4.85 ----------------- diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index d57cbf903..16c0f56da 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1146,41 +1146,6 @@ Adding it to a redirect router makes no difference. -Certificate name checking --------------------------------------------------------------- -The X509 certificates used for TLS are supposed be verified -that they are owned by the expected host. The coding of TLS -support to date has not made these checks. - -If built with EXPERIMENTAL_CERTNAMES defined, code is -included to do so for server certificates, and a new smtp transport option -"tls_verify_cert_hostnames" supported which takes a hostlist -which must match the target host for the additional checks must be made. -The option currently defaults to empty, but this may change in -the future. "*" is probably a suitable value. -Whether certificate verification is done at all, and the result of -it failing, is stll under the control of "tls_verify_hosts" nad -"tls_try_verify_hosts". - -The name being checked is that for the host, generally -the result of an MX lookup. - -Both Subject and Subject-Alternate-Name certificate fields -are supported, as are wildcard certificates (limited to -a single wildcard being the initial component of a 3-or-more -component FQDN). - -The equivalent check on the server for client certificates is not -implemented. At least one major email provider is using a client -certificate which fails this check. They do not retry either without -the client certificate or in clear. - -It is possible to duplicate the effect of this checking by -creative use of Events. - - - - DANE ------------------------------------------------------------ DNS-based Authentication of Named Entities, as applied |