Bug#591261: exim4: Certificate based verification does not work.
Andreas Metzler
ametzler at downhill.at.eu.org
Wed Aug 4 17:57:44 UTC 2010
On 2010-08-02 Andreas Metzler <ametzler at downhill.at.eu.org> wrote:
[...]
> Anyway, the behavior of the two TLS implementation used in exim4 seems
> to differ when none of the certificates available are listed as
> acceptable by the server. (In the respective handshake for X-509 certs
> the server basically says "Please show me your cert, the list of
> acceptable ones is this one.") In this situation exim4's GnuTLS
> implementation does not send any cert, the OpenSSL code does.
[...]
Hello,
And exactly this seems to be the case here. smtp.cjsm.net does not say
which client certs are acceptable:
ametzler at argenau:~$ openssl s_client -state -connect smtp.cjsm.net:25 -starttls smtp
[...]
---
No client certificate CA names sent
---
[...]
While on the other hand if I configure exim to request client certs
signed by cjsm's CA (by pointing MAIN_TLS_VERIFY_CERTIFICATES to a
file containing just this cert and setting MAIN_TLS_TRY_VERIFY_HOSTS)
I will get this. (No matter whether exim is linked against OpenSSL or
GnuTLS.):
[...]
---
Acceptable client certificate CA names
/C=GB/ST=Wiltshire/L=Swindon/O=Cable & Wireless plc/OU=CJIT Secure
Mail/CN=Criminal Justice IT Root CA
(CJSM)/emailAddress=raymond.edah at cwipapps.net
---
[...]
As I said previously in this szenario GnuTLSed exim won't send client
certificates. It would be possible to change this, the GnuTLS
interface exists, exim just does not yet use it.
cu andreas
More information about the Pkg-exim4-maintainers
mailing list