Bug#522690: exim4-daemon-heavy: previously working client ssl certificate setup fails to work in lenny
Andreas Metzler
ametzler at downhill.at.eu.org
Wed Apr 8 18:05:49 UTC 2009
On 2009-04-07 Stephen Gran <sgran at debian.org> wrote:
> This one time, at band camp, Andreas Metzler said:
>> On 2009-04-05 Stephen Gran <sgran at debian.org> wrote:
>> have just tried to reproduce this. Both sides are running lenny. The
>> client is running basically the vanilla debian config with these
>> changes:
>> The testserver is also running on port 1111 with a self-signed certificate,
>> it has set tls_try_verify_hosts = * and
>> tls_verify_certificates = afile/with/just/theclientcert.
> I am using it with the ca.crt in that file, as I'm interested in
> validating more than just a single client cert.
>> * Server: *
>> 31998 host in tls_try_verify_hosts? yes (matched "*")
>> 31998 initialized GnuTLS session
>> 31998 SMTP>> 220 TLS go ahead
>> 31998 gnutls_handshake was successful
>> 31998 TLS certificate verified: peerdn=C=AT,ST=Austria,CN=client.bebt.de
>> 31998 cipher: TLS1.0:RSA_AES_256_CBC_SHA1:32
>> Which looks fine to me. The server asks for a certificate, the
>> clients sends it. I am sure to have missed something obvious. ;-)
> This does not happen if the server cert presented is not signed by the
> same CA as the client cert.
Hello,
I still fail to reproduce this when using non-selfsigned certs.
Following Manojs quick howto
http://www.golden-gryphon.com/blog/manoj//blog/2009/03/31/Fighting_FUD__58___Working_with_openssl/
I have built two ca-certs and have signed one certificate in each one.
One goes to the server, one goes to the client, the server gets the
cacert signing the client cert in tls_verify_certificates.
10337 SMTP>> 220 TLS go ahead
10337 gnutls_handshake was successful
10337 TLS certificate verified: peerdn=C=AT,ST=Vorarlberg,O=Andreas Tests,CN=test-cli-clientcert
10337 cipher: TLS1.0:RSA_AES_256_CBC_SHA1:32
cu andreas
More information about the Pkg-exim4-maintainers
mailing list