Re: [Exim] tls certificate verification

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Steve Haslam
CC: exim-users
Subject: Re: [Exim] tls certificate verification
On Mon, 9 Sep 2002, Steve Haslam wrote:

> host in tls_verify_hosts? yes (matched "*")
> SMTP>> 220 TLS go ahead
> Calling SSL_accept
>
> [ .. SSL gumpf here .. ]
>
> SSL_accept was successful


... which suggests it was happy with the certificate it received.

> ... so, no messages from verify_callback() about the various stages of the
> chain, which I think there should be.


Hmm. This is an area where I'm floundering around much of the time.
(Actually, that's true of most of OpenSSL, with the documentation I have
managed to find at present.)

> I have tls_verify_hosts set to "*" as can be seen, so it ought to be
> rejecting TLS connections without a proper certificate aiui.


Yes, yui right.

> Afaict, the sorting out of TLS certificates on SMTP is done at the time the
> TLS sessions is established, i.e. after STARTTLS.


Yes, that is correct. It should all be done within the OpenSSL
functions.

I do have a test for this stuff. I get debugging output from the server
that looks like this when the client sends no certificate:

SMTP<< starttls
tls_certificate file /home/ph10/exim4/AutoTest/aux/cert1
tls_privatekey file /home/ph10/exim4/AutoTest/aux/cert1
Initialised TLS
host in tls_verify_hosts? yes (matched "::1")
SMTP>>
220 TLS go ahead?
Calling SSL_accept
SSL info: before/accept initialization
SSL info: before/accept initialization
SSL info: SSLv3 read client hello A
SSL info: SSLv3 write server hello A
SSL info: SSLv3 write certificate A
SSL info: SSLv3 write certificate request A
SSL info: SSLv3 flush data
SSL info: SSLv3 read client certificate B
SSL info: SSLv3 read client certificate B
SSL info: SSLv3 read client certificate B
LOG: MAIN
TLS error on connection from (rhu.barb) [::1] (SSL_accept):
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate


and like this when the client sends a bad certificate:

SMTP<< starttls
tls_certificate file /home/ph10/exim4/AutoTest/aux/cert1
tls_privatekey file /home/ph10/exim4/AutoTest/aux/cert1
Initialised TLS
host in tls_verify_hosts? yes (matched "::1")
SMTP>>
220 TLS go ahead?
Calling SSL_accept
SSL info: before/accept initialization
SSL info: before/accept initialization
SSL info: SSLv3 read client hello A
SSL info: SSLv3 write server hello A
SSL info: SSLv3 write certificate A
SSL info: SSLv3 write certificate request A
SSL info: SSLv3 flush data
LOG: MAIN
SSL verify error: depth=0 error=self signed certificate
cert=/C=UK/L=Cambridge/O=University of Cambridge/OU=Computing Service/CN=Philip Hazel
SSL info: SSLv3 read client certificate B
SSL info: SSLv3 read client certificate B
SSL info: SSLv3 read client certificate B
LOG: MAIN
TLS error on connection from (rhu.barb) [::1] (SSL_accept):
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
TLS failed to start




--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.