On Mon, 9 Sep 2002, Steve Haslam wrote:
> host in tls_verify_hosts? yes (matched "*")
> SMTP>> 220 TLS go ahead
> Calling SSL_accept
>
> [ .. SSL gumpf here .. ]
>
> SSL_accept was successful
... which suggests it was happy with the certificate it received.
> ... so, no messages from verify_callback() about the various stages of the
> chain, which I think there should be.
Hmm. This is an area where I'm floundering around much of the time.
(Actually, that's true of most of OpenSSL, with the documentation I have
managed to find at present.)
> I have tls_verify_hosts set to "*" as can be seen, so it ought to be
> rejecting TLS connections without a proper certificate aiui.
Yes, yui right.
> Afaict, the sorting out of TLS certificates on SMTP is done at the time the
> TLS sessions is established, i.e. after STARTTLS.
Yes, that is correct. It should all be done within the OpenSSL
functions.
I do have a test for this stuff. I get debugging output from the server
that looks like this when the client sends no certificate:
SMTP<< starttls
tls_certificate file /home/ph10/exim4/AutoTest/aux/cert1
tls_privatekey file /home/ph10/exim4/AutoTest/aux/cert1
Initialised TLS
host in tls_verify_hosts? yes (matched "::1")
SMTP>>
220 TLS go ahead?
Calling SSL_accept
SSL info: before/accept initialization
SSL info: before/accept initialization
SSL info: SSLv3 read client hello A
SSL info: SSLv3 write server hello A
SSL info: SSLv3 write certificate A
SSL info: SSLv3 write certificate request A
SSL info: SSLv3 flush data
SSL info: SSLv3 read client certificate B
SSL info: SSLv3 read client certificate B
SSL info: SSLv3 read client certificate B
LOG: MAIN
TLS error on connection from (rhu.barb) [::1] (SSL_accept):
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate
and like this when the client sends a bad certificate:
SMTP<< starttls
tls_certificate file /home/ph10/exim4/AutoTest/aux/cert1
tls_privatekey file /home/ph10/exim4/AutoTest/aux/cert1
Initialised TLS
host in tls_verify_hosts? yes (matched "::1")
SMTP>>
220 TLS go ahead?
Calling SSL_accept
SSL info: before/accept initialization
SSL info: before/accept initialization
SSL info: SSLv3 read client hello A
SSL info: SSLv3 write server hello A
SSL info: SSLv3 write certificate A
SSL info: SSLv3 write certificate request A
SSL info: SSLv3 flush data
LOG: MAIN
SSL verify error: depth=0 error=self signed certificate
cert=/C=UK/L=Cambridge/O=University of Cambridge/OU=Computing Service/CN=Philip Hazel
SSL info: SSLv3 read client certificate B
SSL info: SSLv3 read client certificate B
SSL info: SSLv3 read client certificate B
LOG: MAIN
TLS error on connection from (rhu.barb) [::1] (SSL_accept):
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
TLS failed to start
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.