From 6b8e6cb23ce5cc39a83c7fd0a373c79953351fec Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sun, 16 Jan 2011 22:21:37 -0500 Subject: [PATCH] Clarify: tls_verify_certificates is for CA certs. It can be used for individual user certs but is really intended for CAs. Note this, and explain that if the tls_verify_certificates value is a file, then the certs within are sent from the server to clients, thus is public data. --- doc/doc-docbook/spec.xfpt | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 15b3a2b89..160410bd3 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -15431,6 +15431,13 @@ are using OpenSSL, you can set &%tls_verify_certificates%& to the name of a directory containing certificate files. This does not work with GnuTLS; the option must be set to the name of a single file if you are using GnuTLS. +These certificates should be for the certificate authorities trusted, rather +than the public cert of individual clients. With both OpenSSL and GnuTLS, if +the value is a file then the certificates are sent by Exim as a server to +connecting clients, defining the list of accepted certificate authorities. +Thus the values defined should be considered public data. To avoid this, +use OpenSSL with a directory. + .option tls_verify_hosts main "host list&!!" unset .cindex "TLS" "client certificate verification" -- 2.25.1