[Exim] tls certificate verification

Top Page
Delete this message
Reply to this message
Author: Steve Haslam
Date:  
To: exim-users
Subject: [Exim] tls certificate verification
Hi,

Have many people used Exim as a TLS-supporting server that uses
certificate-based authentication? It's just that I'm looking at the code and
testing things out, and it seems that Exim doesn't always require a
certificate when I think it should (version 4.10):

SMTP<< STARTTLS
tls_certificate file /etc/exim/araqnid.ddts.net-rsa.crt
tls_privatekey file /etc/exim/araqnid.ddts.net-rsa.key
Initialised TLS
host in tls_verify_hosts? yes (matched "*")
SMTP>> 220 TLS go ahead

Calling SSL_accept

[ .. SSL gumpf here .. ]

SSL_accept was successful
Cipher: TLSv1:DES-CBC3-SHA:168
[ big list of shared ciphers ]
sender_fullhost = localhost [127.0.0.1]
sender_rcvhost = localhost ([127.0.0.1] ident=steve)
set_process_info: 25775 handling incoming TLS connection from localhost
[127.0.0.1]
TLS active
Calling SSL_read(80d8818, 80e8bd0, 4096)

... so, no messages from verify_callback() about the various stages of the
chain, which I think there should be. Is this a largely unused tract of code
or am I just setting things up wrong? I have tls_verify_hosts set to "*" as
can be seen, so it ought to be rejecting TLS connections without a proper
certificate aiui.

SRH
--
Steve Haslam      Reading, UK                           araqnid@???
Debian GNU/Linux Maintainer                               araqnid@???
Your heart has been ruptured and it will never heal
To get another heart you'll have to steal                    [leæther strip]