On 2010-11-23 at 15:43 -0500, Phil Pennock wrote: > Okay, your question as phrased was entirely about using client > certificates. > > Yes, you can have Exim act as the server-side, verifying client certs > based on a CA. The documentation is not entirely clear on this, I've > made a note to clarify things.
http://git.exim.org/exim.git/commit/6b8e6cb23ce5cc39a83c7fd0a373c79953351fec Added to the spec definition of tls_verify_certificates in the main section: +These certificates should be for the certificate authorities trusted, rather +than the public cert of individual clients. With both OpenSSL and GnuTLS, if +the value is a file then the certificates are sent by Exim as a server to +connecting clients, defining the list of accepted certificate authorities. +Thus the values defined should be considered public data. To avoid this, +use OpenSSL with a directory. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
