Bug#544472: server certificate verification fails when connecting as an SMTP client?

Ivan Shmakov ivan at main.uusia.org
Tue Sep 1 17:46:27 UTC 2009 

>>>>> Andreas Metzler <ametzler at downhill.at.eu.org> writes:
>>>>> Ivan Shmakov <ivan at main.uusia.org> wrote:

[...]

 >> It seems that the certificate verification fails when Exim connects
 >> to the peer, while should the peer in question connect to Exim, it
 >> succeeds.

[...]

 >> Note the CV=yes vs. CV=no discrepancy.

 > Hello, Afaict you have provided exim with a list of trusted
 > certificates to check incoming connections (main configuration option
 > tls_verify_certificates) against but you have not toggled the
 > corresponding option for outgoing connections (the
 > tls_verify_certificates private option of the smtp transport).

	I've known that I've made some silly mistake!  I've fixed that
	and it works as expected now, thanks!

	However, the documentation is somewhat unclear on that matter:

--cut: (exim4) Configuring an Exim client to use TLS --
   The `tls_certificate' and `tls_privatekey' options of the `smtp'
transport provide the client with a certificate, which is passed to the
server if it requests it. If the server is Exim, it will request a
certificate only if `tls_verify_hosts' or `tls_try_verify_hosts'
matches the client. *Note*: These options must be set in the `smtp'
transport for Exim to use TLS when it is operating as a client. Exim
does not assume that a server certificate (set by the global options of
the same name) should also be used when operating as a client.

   If `tls_verify_certificates' is set, it must name a file or, for
OpenSSL only (not GnuTLS), a directory, that contains a collection of
expected server certificates. The client verifies the server's
certificate against this collection, taking into account any revoked
certificates that are in the list defined by `tls_crl'.
--cut: (exim4) Configuring an Exim client to use TLS --

	Since it's noted explicitly in the fragment above that the
	`tls_certificate' and `tls_privatekey' options are to be set for
	the transport, the lack of such a notice for
	`tls_verify_certificates' made me assume that it's the global
	option that's mentioned here.

	Could this bug thus be reassigned to the documentation (or the
	source?) with the severity downgraded (and probably retitled)?

-- 
FSF associate member #7257

More information about the Pkg-exim4-maintainers mailing list