Tried GnuTLS and guess what? GnuTLS code keeps peercert & peerdn defined
for invalid certificates!
So, this is not a feature - this is a bug fix.
- Doesn't do anything for GnuTLS builds
Not needed. GnuTLS already works the same way.
- Wastefully dups every link in a CA-anchored chain
Fixed (X509_free).
- Depends on undocumented behaviour of OpenSSL; that
the verify callback will always be called for every certificate
chain element, including when a nonterminal certificate
does not verify
The behavior is actually already documented. Perhaps it wasn't before.
- Does not work for DANE-anchored chains
Questionable. Will see when this functionality will be implemented in
the OpenSSL.
- Needs documentation
No need docs change - everything now works according the docs.
When the verify callback unconditionally
returns "1" (continue with handshake) even when "ok == 0", then
every element of the certificate chain will be passed to the verify
callback (at least once). This should also be true for DANE.
True.
So, please try my next pull request: https://github.com/Exim/exim/pull/25
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
