Bug#591261: exim4: Certificate based verification does not work.

Andreas Metzler ametzler at downhill.at.eu.org
Mon Aug 2 18:12:08 UTC 2010


On 2010-08-01 Jon Westgate <jon at fsck.tv> wrote:

> On 01/08/10 17:35, Andreas Metzler wrote:
>> On 2010-08-01 Jon Westgate<oryn at fsck.tv>  wrote:

>>> Package: exim4
>>> Version: 4.72-1
>>> Severity: important
>>> Tags: upstream

>>> I have been asked to setup an exim4 server for use with CJSM.
>>> https://www.cjsm.net This requires that a server (acting as a smart
>>> host in this case) encrypt and sign all emails headed for CJSM.
>>> This is something that according to exim.org, exim should ba
>>> capeable of doing.  After struggling with this for a number of days
>>> I came accross a blog entry on the web saying that exim compiled
>>> against openssl seemed to work where as exim compiled against gnutls
>>> didn't.  I recompiled and hey presto everything works.  I'm not
>>> campaining for openssl to be the default in exim, just mearly
>>> registering the fact that both tls_try_verify_hosts and
>>> tls_verify_hosts directives fail with this package.  Indeed exim as
>>> a client does not send a certificate when asked for one.

[...]

> The point I was trying to make is that exim doesn't send a certificate  
> when asked
> even if you have the following:

> remote_smtp:
>   driver = smtp
>   tls_certificate = /etc/exim4/mail.fsck.tv-cert.pem
>   tls_privatekey = /etc/exim4/mail.fsck.tv-key.pem

> recompile both servers against openssl and it magicly works, but only if  
> both are build against openssl.

The point I was trying to make was that exim+GnuTLS generally is able to
send server certificates. ;-)

Anyway, the behavior of the two TLS implementation used in exim4 seems
to differ when none of the certificates available are listed as
acceptable by the server. (In the respective handshake for X-509 certs
the server basically says "Please show me your cert, the list of
acceptable ones is this one.") In this situation exim4's GnuTLS
implementation does not send any cert, the OpenSSL code does.

It seems to be possible to change this by using the callback
interface.
http://mid.gmane.org/874pmfixt2.fsf@mocca.josefsson.org

cu andreas






More information about the Pkg-exim4-maintainers mailing list