On 26/12/14 00:44, Viktor Dukhovni wrote: > On Thu, Dec 25, 2014 at 09:45:42PM +0000, Jeremy Harris wrote: >> - Doesn't do anything for GnuTLS builds >> - Wastefully dups every link in a CA-anchored chain >> - Depends on undocumented behaviour of OpenSSL; that >> the verify callback will always be called for every certificate >> chain element, including when a nonterminal certificate >> does not verify >> - Does not work for DANE-anchored chains >> - Needs documentation > > This does not sound right.
Which part? > When the verify callback unconditionally > returns "1" (continue with handshake) even when "ok == 0", then > every element of the certificate chain will be passed to the verify > callback (at least once). Reference? > This should also be true for DANE. You're not looking at his code, which did not appear in the DANE verification path. > Get in touch off-list if you're seeing something else. Postfix > always completes the handshake, and gracefully disconnects (QUIT) > if the connection is less secure than desired. Postfix is not relevant here. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
