diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-11-23 16:10:30 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2015-01-12 18:58:34 +0000 |
commit | cb1d783072c488a4a558607b2ee122efba95aa4b (patch) | |
tree | cb7a278c3917deb2a116fa01750f436e6250ab8e /doc | |
parent | 01a4a5c5cbaa40ca618d3e233991ce183b551477 (diff) |
Support use of system default CA bundle
Diffstat (limited to 'doc')
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 66 | ||||
-rw-r--r-- | doc/doc-txt/ChangeLog | 4 |
2 files changed, 47 insertions, 23 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 5bdf57282..dc7e4f75c 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16481,14 +16481,24 @@ See &%tls_verify_hosts%& below. .option tls_verify_certificates main string&!! unset .cindex "TLS" "client certificate verification" .cindex "certificate" "verification of client" -The value of this option is expanded, and must then be the absolute path to -a file containing permitted certificates for clients that -match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you -are using either GnuTLS version 3.3.6 (or later) or OpenSSL, -you can set &%tls_verify_certificates%& to the name of a -directory containing certificate files. -For earlier versions of GnuTLS -the option must be set to the name of a single file. +The value of this option is expanded, and must then be either the +word "system" +or the absolute path to +a file or directory containing permitted certificates for clients that +match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. + +The "system" value for the option will use a +system default location compiled into the SSL library. +This is not available for GnuTLS versions preceding 3.0.20 and an explicit location +must be specified. + +The use of a directory for the option value is not avilable for GnuTLS versions +preceding 3.3.6 and a single file must be used. + +With OpenSSL the certificates specified +explicitly +either by file or directory +are added to those given by the system default location. With OpenSSL the certificates specified explicitly @@ -23453,15 +23463,18 @@ There is no equivalent checking on client certificates. .cindex "certificate" "verification of server" .vindex "&$host$&" .vindex "&$host_address$&" -The value of this option must be the absolute path to a file containing -permitted server certificates, for use when setting up an encrypted connection. -Alternatively, -if you are using either GnuTLS version 3.3.6 (or later) or OpenSSL, -you can set -&%tls_verify_certificates%& to the name of a directory containing certificate -files. -For earlier versions of GnuTLS the option must be set to the name of a -single file. +The value of this option must be either the +word "system" +or the absolute path to +a file or directory containing permitted certificates for servers, +for use when setting up an encrypted connection. + +The "system" value for the option will use a location compiled into the SSL library. +This is not available for GnuTLS versions preceding 3.0.20 and an explicit location +must be specified. + +The use of a directory for the option value is not avilable for GnuTLS versions +preceding 3.3.6 and a single file must be used. With OpenSSL the certificates specified explicitly @@ -25949,8 +25962,9 @@ include files and libraries for GnuTLS can be found. There are some differences in usage when using GnuTLS instead of OpenSSL: .ilist -The &%tls_verify_certificates%& option must contain the name of a file, not the -name of a directory for GnuTLS versions before 3.3.6 +The &%tls_verify_certificates%& option +cannot be the path of a directory +for GnuTLS versions before 3.3.6 (for later versions, or OpenSSL, it can be either). .next The default value for &%tls_dhparam%& differs for historical reasons. @@ -26302,8 +26316,10 @@ session with a client, you must set either &%tls_verify_hosts%& or apply to all TLS connections. For any host that matches one of these options, Exim requests a certificate as part of the setup of the TLS session. The contents of the certificate are verified by comparing it with a list of -expected certificates. These must be available in a file or, -for OpenSSL only (not GnuTLS), a directory, identified by +expected certificates. +These may be the system default set (depending on library version), +an explicit file or, +depending on library version, a directory, identified by &%tls_verify_certificates%&. A file can contain multiple certificates, concatenated end to end. If a @@ -26463,9 +26479,13 @@ if it requests it. If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it +specified a collection of expected server certificates. +These may be the system default set (depeding on library version), +a file or, +depnding on liibrary version, a directory, must name a file or, -for OpenSSL only (not GnuTLS), a directory, that contains a collection of -expected server certificates. The client verifies the server's certificate +for OpenSSL only (not GnuTLS), a directory. +The client verifies the server's certificate against this collection, taking into account any revoked certificates that are in the list defined by &%tls_crl%&. Failure to verify fails the TLS connection unless either of the diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 27abe4701..f2954b945 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -17,6 +17,10 @@ JH/04 Certificate name checking on server certificates, when exim is a client, can be used to disable this per-host. The build option EXPERIMENTAL_CERTNAMES is withdrawn. +JH/05 The value of the tls_verify_certificates smtp transport and main options + can now be the word "system" to access the system default CA bundle. + For GnuTLS, only version 3.0.20 or later. + Exim version 4.85 ----------------- |