The current exim OpenSSL build takes the "verify" bundle specified by global "tls_verify_certificates" and (presumably only if if can find a match?) decorates the server cert specified by global "tls_certificate" to give (in my testing - testcase 5760) a full certificate chain.
No particular harm ensues; I only saw this due to the expanded version of TPDA I'm working on (it has a tls:cert event, raised once per cert in the server chain seen by a client) - but this does seem to unfortunately conflate the meanings of the configuration options. You can confirm the wire traffic using wireshark. The exim GnuTLS build does not do this; it does the simple thing. The relevant docs seem to be: https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html# "When building its own certificate chain, an OpenSSL client/server will try to fill in missing certificates from CAfile/CApath, if the certificate chain was not explicitly specified" https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html "If additional certificates are needed to complete the chain during the TLS negotiation, CA certificates are additionally looked up in the locations of trusted CA certificates" We call SSL_CTX_load_verify_locations() in setup_certs() using tls_verify_certificates. We call SSL_CTX_use_certificate_chain_file() in tls_expand_session_files() using tls_certificate - presumably this does not count as "explicitly specified". Any ideas? Should we bother trying to fix this? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
