Bug#591261: exim4: Certificate based verification does not work.

Jon Westgate jon at fsck.tv
Mon Aug 2 20:51:34 UTC 2010 

  Andreas,
I just used openssl with pretty much the default settings to generate my 
cert request, CJSM sent me back a signed x509 cert (pem) which I 
installed according to the docs at exim.org with maybe a slight 
modification to the locations, I put them in /etc/exim4/certs. Its got 
Debian-exim read permissions

I noticed that the CJSM server was sending back "550 you must send a 
certificate" error responses when I tested.
The only reason I setup a pair of servers was to try to debug things.

I found the article http://www.exim-users.org/forums/showthread.php?t=50795
and this prompted me to try openssl.

So you are saying that gnutls does not support x509 certs?

The certificate in question mostly decodes (censored to protect my 
client) as:

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 276 (0x114)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=GB, ST=Wiltshire, L=Swindon, O=Cable & Wireless plc, 
OU=CJIT Secure Mail, CN=Criminal Justice IT Root CA 
(CJSM)/emailAddress=xxxxxxxxxxxx at xxxxxxx.net
         Validity
             Not Before: Jul 28 10:27:55 2010 GMT
             Not After : Jul 28 10:27:55 2013 GMT
         Subject: C=GB, ST=London, L=Farringdon (london), O=Xxxxxxxxx 
Xxxxxxxx, OU=IT Section, 
CN=mail.xxxxxxxxx.co.uk/emailAddress=xxxxx at xxxxxxxxxx.co.uk
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Comment:
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier:
                 XX:XX:4F:65:C7:4A:XX:94:XX:XX:B2:XX:F8:27:75:XX:XX:XX:XX:XX
             X509v3 Authority Key Identifier:
 
keyid:XX:XX:XX:B4:49:XX:CC:XX:34:D7:XX:32:XX:37:96:AE:XX:XX:XX:XX
                 DirName:/C=GB/ST=Wiltshire/L=Swindon/O=Xxxxx & 
Yyyyyyyyy plc/OU=CJIT Secure Mail/CN=Criminal Justice IT Root CA 
(CJSM)/emailAddress=yyyyyyy at yyyyyyyyy.net
                 serial:00

     Signature Algorithm: md5WithRSAEncryption
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx
                     xx:xx:xx:1024 bits of info here :xx:xx:xx

Is it something to do with the version numbers???

Regards
Jon


On 02/08/10 19:12, Andreas Metzler wrote:
> On 2010-08-01 Jon Westgate<jon at fsck.tv>  wrote:
>
>> On 01/08/10 17:35, Andreas Metzler wrote:
>>> On 2010-08-01 Jon Westgate<oryn at fsck.tv>   wrote:
>>>> Package: exim4
>>>> Version: 4.72-1
>>>> Severity: important
>>>> Tags: upstream
>>>> I have been asked to setup an exim4 server for use with CJSM.
>>>> https://www.cjsm.net This requires that a server (acting as a smart
>>>> host in this case) encrypt and sign all emails headed for CJSM.
>>>> This is something that according to exim.org, exim should ba
>>>> capeable of doing.  After struggling with this for a number of days
>>>> I came accross a blog entry on the web saying that exim compiled
>>>> against openssl seemed to work where as exim compiled against gnutls
>>>> didn't.  I recompiled and hey presto everything works.  I'm not
>>>> campaining for openssl to be the default in exim, just mearly
>>>> registering the fact that both tls_try_verify_hosts and
>>>> tls_verify_hosts directives fail with this package.  Indeed exim as
>>>> a client does not send a certificate when asked for one.
> [...]
>
>> The point I was trying to make is that exim doesn't send a certificate
>> when asked
>> even if you have the following:
>> remote_smtp:
>>    driver = smtp
>>    tls_certificate = /etc/exim4/mail.fsck.tv-cert.pem
>>    tls_privatekey = /etc/exim4/mail.fsck.tv-key.pem
>> recompile both servers against openssl and it magicly works, but only if
>> both are build against openssl.
> The point I was trying to make was that exim+GnuTLS generally is able to
> send server certificates. ;-)
>
> Anyway, the behavior of the two TLS implementation used in exim4 seems
> to differ when none of the certificates available are listed as
> acceptable by the server. (In the respective handshake for X-509 certs
> the server basically says "Please show me your cert, the list of
> acceptable ones is this one.") In this situation exim4's GnuTLS
> implementation does not send any cert, the OpenSSL code does.
>
> It seems to be possible to change this by using the callback
> interface.
> http://mid.gmane.org/874pmfixt2.fsf@mocca.josefsson.org
>
> cu andreas
>
>
>

More information about the Pkg-exim4-maintainers mailing list