On Monday 17 of October 2016, Phil Pennock wrote:
> On 2016-10-12 at 14:50 +0200, Arkadiusz Miśkiewicz wrote:
> > Docs say that $tls_sni has raw data from client:
> > 
> > "Great care should be taken to deal with matters of case, various
> > injection attacks in the string (../ or SQL), and ensuring that a valid
> > filename can always be referenced; it is important to remember that
> > $tls_sni is arbitrary unverified data provided prior to authentication."
> Someone read the text I wrote!  Woohoo!
> (It only took a few years ...)
> > What is safest approach to handle $tls_sni when trying
> > to expand it to file on filesystem?
> Use a cryptographic hash for the filename.  

Sounds smart.

> Or base64-encode it.

"/" is part of base64 alphabet, so would have to replace that with other 
character, too.


> exists{/etc/mail/ssl/${sha1:${lc:tls_sni}}.pem}{/etc/mail/ssl/${sha1:${lc:
> tls_sni}}.pem}{/etc/mail/default-cert.pem}

I wonder how big performance impact will be there on each connection when 
using sha1. sha will be calculated even twice for single connection.

I'm guessing no big impact as various hashing is already used in other places 
like SMTP AUTH etc.
> -Phil

Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to