Bug#544472: server certificate verification fails when connecting as an SMTP client?

[Andreas Metzler]

retitle 544472 clarify exim client TLS documentation 
severity 544472 minor
thanks
On 2009-09-01 Ivan Shmakov <ivan at main.uusia.org> wrote:
[...]
> 	However, the documentation is somewhat unclear on that matter:

> --cut: (exim4) Configuring an Exim client to use TLS --
>    The `tls_certificate' and `tls_privatekey' options of the `smtp'
> transport provide the client with a certificate, which is passed to the
> server if it requests it. If the server is Exim, it will request a
> certificate only if `tls_verify_hosts' or `tls_try_verify_hosts'
> matches the client. *Note*: These options must be set in the `smtp'
> transport for Exim to use TLS when it is operating as a client. Exim
> does not assume that a server certificate (set by the global options of
> the same name) should also be used when operating as a client.

>    If `tls_verify_certificates' is set, it must name a file or, for
> OpenSSL only (not GnuTLS), a directory, that contains a collection of
> expected server certificates. The client verifies the server's
> certificate against this collection, taking into account any revoked
> certificates that are in the list defined by `tls_crl'.
> --cut: (exim4) Configuring an Exim client to use TLS --

> 	Since it's noted explicitly in the fragment above that the
> 	`tls_certificate' and `tls_privatekey' options are to be set for
> 	the transport, the lack of such a notice for
> 	`tls_verify_certificates' made me assume that it's the global
> 	option that's mentioned here.

> 	Could this bug thus be reassigned to the documentation (or the
> 	source?) with the severity downgraded (and probably retitled)?

Hello,

thank you for the pointer. I have made a preliminary patch and have
forwarded this upstream to <http://bugs.exim.org/show_bug.cgi?id=888>.

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'