Bug#522690: exim4-daemon-heavy: previously working client ssl certificate setup fails to work in lenny
Stephen Gran
sgran at debian.org
Tue Apr 7 20:07:12 UTC 2009
This one time, at band camp, Andreas Metzler said:
> On 2009-04-05 Stephen Gran <sgran at debian.org> wrote:
> have just tried to reproduce this. Both sides are running lenny. The
> client is running basically the vanilla debian config with these
> changes:
>
> The testserver is also running on port 1111 with a self-signed certificate,
> it has set tls_try_verify_hosts = * and
> tls_verify_certificates = afile/with/just/theclientcert.
I am using it with the ca.crt in that file, as I'm interested in
validating more than just a single client cert.
> * Server: *
> 31998 host in tls_try_verify_hosts? yes (matched "*")
> 31998 initialized GnuTLS session
> 31998 SMTP>> 220 TLS go ahead
> 31998 gnutls_handshake was successful
> 31998 TLS certificate verified: peerdn=C=AT,ST=Austria,CN=client.bebt.de
> 31998 cipher: TLS1.0:RSA_AES_256_CBC_SHA1:32
>
> Which looks fine to me. The server asks for a certificate, the
> clients sends it. I am sure to have missed something obvious. ;-)
This does not happen if the server cert presented is not signed by the
same CA as the client cert.
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran at debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20090407/96635e33/attachment.pgp>
More information about the Pkg-exim4-maintainers
mailing list