Bug#522690: exim4-daemon-heavy: previously working client ssl certificate setup fails to work in lenny

Stephen Gran sgran at debian.org
Tue Apr 7 20:07:12 UTC 2009


This one time, at band camp, Andreas Metzler said:
> On 2009-04-05 Stephen Gran <sgran at debian.org> wrote:
> have just tried to reproduce this. Both sides are running lenny. The
> client is running basically the vanilla debian config with these
> changes:
> 
> The testserver is also running on port 1111 with a self-signed certificate,
> it has set tls_try_verify_hosts = * and
>  tls_verify_certificates = afile/with/just/theclientcert.

I am using it with the ca.crt in that file, as I'm interested in
validating more than just a single client cert.

> *  Server: *
> 31998 host in tls_try_verify_hosts? yes (matched "*")
> 31998 initialized GnuTLS session
> 31998 SMTP>> 220 TLS go ahead
> 31998 gnutls_handshake was successful
> 31998 TLS certificate verified: peerdn=C=AT,ST=Austria,CN=client.bebt.de
> 31998 cipher: TLS1.0:RSA_AES_256_CBC_SHA1:32
> 
> Which looks fine to me. The server asks for a certificate, the
> clients sends it. I am sure to have missed something obvious. ;-)

This does not happen if the server cert presented is not signed by the
same CA as the client cert.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran at debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20090407/96635e33/attachment.pgp>


More information about the Pkg-exim4-maintainers mailing list