On 2025/06/18 5:31 AM, Viktor Dukhovni via Exim-users wrote:
Jeremy, is there anything in Exim roughly equivalent to the Postfix
"fingerprint" security level?
With the caveat that I'm no expert on what Postfix is offering,
in Exim the server cert presented for a client connection is
available in $tls_out_peercert, and can be fed to assorted
hash operators (eg. ${sha256:...}) to obtain a fingerprint (*).
This could be compared against a reference value, for example
in the "client_condition" option of the authenticator being
used for the OP connection.
[
There is the tls:cert event type, but related to this issue
it could only be used to refuse an otherwise-passing verification,
not the relaxation of security wanted.
An extension I'd not considered; not too hard to code should anyone
want to take the job on; slightly more technically satisfying than
checking in the authenticator.
]
--
Cheers,
Jeremy
*) under OpenSSL, is ends up calling X509_digest() with (eg.) EVP_sha256().
under GnuTLS, which I think is the Debian preference,
gnutls_x509_crt_get_fingerprint
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
