On 2022-03-23, The Doctor via Exim-users <[email protected]> wrote:
>
> Question:
>
> In my configuration file I have
>
> tls_certificate = ${if exists\
> {/path/to/2021/${tls_sni}/chain.cert}\
> {/path/to/2022/${tls_sni}/chain.cert}\
> {/path/to/default//chain.cert}\
> }
> tls_privatekey = ${if exists\
> {path/to/old/${tls_sni}/key}\
> {/path/to/current/${tls_sni}/key}\
> {/path/to/defalut/key}\
> }
>
> Am I missing something?
Tainting I guess. ${tls_sni} is a value which may contain any bytes
whatsoever, and can be, and has been, abused by attackers, thus exim
doesn't trust it in a filesystem context.
So even though you know the names of the files you need
to verify them against a home-truth. something like:
tls_privatekey = ${lookup {$tls_sni} dsearch,ret=full \
{/path/to/current/}{$value/key}{/path/to/default/key}}
This assumes that the file "key" exists if the subdirectory $tls_sni
is found, if you want to be paranoid you can replace $value/key with
an if-exists check using "$value/key" instead of
"path/to/current/${tls_sni}/key"
I'm a fan of putting the key, certificate, and chain into a single
file, as this reduces the number of cofiguration settings needed. then
you could have file-per-domain in a single directory. and replace
"/key" with ".allcert" or similatr above (not needing the if-exists test at all)
tls_privatekey = ${lookup {$tls_sni.allcert} dsearch,ret=full \
{/path/to/current/}{$value}{/path/to/default.allcert}}
Also you misspelled default one time, and 2021 vs 2022, I'm
guessing transcription errosrs, but you did ask.
Also double slashes but I think that is harmless in Posix.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
