Bug#782549: Client certificate validation fails: "certificate invalid"
Sam Morris
sam at robots.org.uk
Mon Apr 13 23:15:17 UTC 2015
Package: exim4
Version: 4.84-8
Severity: normal
I'm not having much lucky trying to get client certificate validation to
work. When I run exim with debug logging turned on, the client sends its
certificate and the server logs:
13546 SMTP>> 220 TLS go ahead
13546 TLS: no SNI presented in handshake.
13546 gnutls_handshake was successful
13546 TLS certificate verification failed (certificate invalid): peerdn="CN=traxus.robots.org.uk"
13546 TLS verify failure overridden (host in tls_try_verify_hosts)
13546 cipher: TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256
There's no indication of what about the certificate is invalid though.
The only reference to this error that I could find was an upstream bug
<https://github.com/Exim/exim/issues/19> which refers to a bug with
GnuTLS and certificates using sha512WithRSAEncryption, but my
certificate is only using RSA-SHA256 as the signature algorithm so I
don't think that's it. I'll attach the client certificate in case you
have an idea what is causing the 'certificate invalid' message; I can
also send you a certificate/key that the server should accept if that
would help.
On the server side, the config is pretty straight forward; I've just set
the following:
MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTIFICATE = CONFDIR/ssl/smtp-2014-cert+chain.pem
MAIN_TLS_PRIVATEKEY = CONFDIR/ssl/smtp-2014-key.pem
MAIN_LOG_SELECTOR = +tls_certificate_verified +tls_cipher +tls_peerdn
MAIN_TLS_TRY_VERIFY_HOSTS = *
MAIN_TLS_VERIFY_CERTIFICATES = /etc/exim4/ssl/ca.pem
And on the client side:
REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE = /etc/exim4/ssl/traxus.robots.org.uk-cert.pem
REMOTE_SMTP_SMARTHOST_TLS_PRIVATEKEY = /etc/exim4/ssl/traxus.robots.org.uk-key.pem
As for the swaks command line:
swaks --server smtp.robots.org.uk --to foo at example.com -tls --tls-verify --tls-cert /etc/exim4/ssl/traxus.robots.org.uk-cert.pem --tls-key /etc/exim4/ssl/traxus.robots.org.uk-key.pem
-- Package-specific info:
Exim version 4.84 #2 built 17-Feb-2015 17:01:49
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='internet'
dc_other_hostnames='traxus ; traxus.robots.org.uk ; +virtual_domains ; +mailman_domains'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
mailname:traxus.robots.org.uk
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (550, 'testing-updates'), (550, 'testing'), (520, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-0.bpo.4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages exim4 depends on:
ii debconf [debconf-2.0] 1.5.56
ii exim4-base 4.84-8
ii exim4-daemon-heavy 4.84-8
exim4 recommends no packages.
exim4 suggests no packages.
-- debconf information:
exim4/drec:
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIDvjCCAiagAwIBAgIEVSpqHzANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDExxy
b2JvdHMub3JnLnVrIFNNVFAgYXV0aG9yaXR5MCIYDzIwMTUwNDEyMTI1MDQxWhgP
MjAyNTA0MDkxMjUwNTZaMB8xHTAbBgNVBAMTFHRyYXh1cy5yb2JvdHMub3JnLnVr
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8vLEqCW45iMuwtkHgDm
Y1Bz2+seBvjhSGNYsxxBcfbJ/KujTysUJ6z9ih96gWZqW5eF0MnMJLB/JoS9lRxo
GrtZPhWSC12ZWn83xtB5qEsV08nQd7JKLvgRUX1phNas78iGz8qP33Kv7Pc5oXz1
ZixWKIAds8C8v438i2L3y57QUwC3X2ba/RuAI6+xq3BeCIzv7Z1AA2QF54QvKo+/
viMUxkUglkMZXvgEcd0fmxHgT+1hL4/zQ/4f+spl/ihW08rWVHgQ7WXd2uaVfn0Y
iQGd+iNPkkJdO+rKkvUqdJsWYc/dEUpm0LdgHJaTb0uRN/8S0ivgLZMoBMQ7HcMv
YQIDAQABo3YwdDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8G
A1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFOXRpHa5IKAEfmxgmh/SLSCGOU0cMB8G
A1UdIwQYMBaAFNdxA/Z0VHqDg6xHONHakEcP3D8nMA0GCSqGSIb3DQEBCwUAA4IB
gQCEhDnNl3DmnKtVffbc0gGEUbRwomeRnHVVOq0xzNROEWHTvpcjEVQB2CSlbDqD
+FKzR3tGsVXuyIzqPipOYd3kOWGRafL5JoY8hVlL7k6H5Upvqeod6nEUa1GmSRlj
yhT5ywdWPP/rQb1ewt91X3IUhR7s9Bi+ZLgOZtPv7kza+doFCRUmaaZLgaJ2MhTz
NNFl9tHQQNI+BHoblMyptMMDdfv14o/Evl9VbPYQEhaSqrI9dV4QrpHAUbk0H8Bk
VoGi2p5NtyZLA67+e1hNMoymFSjLD7dp1tiAzaI4uDLQcI5UocWRyzD+EA50s8fN
COaI3bjVQbe0+C8sCLkFToecMOu7SX3cfkWu4gM5oOUHgvFlSMr1PXeUsOR2Kkcv
0iQgjJtWHr9kB8am7zvkgnMiXDeM3Gp1LVWKR8i35+ybBfe8WYJFCEbYrgdO2IIc
oLOXJZ/2R9qRoN0mb+tSoK3XjgrIi0diQs5jZns68uIARdZSm/CnVOQ3ix+Yr/Yh
c+g=
-----END CERTIFICATE-----
More information about the Pkg-exim4-maintainers
mailing list