Re: [Exim] tls certificate verification

Góra strony
Delete this message
Reply to this message
Autor: Steve Haslam
Data:  
Dla: exim-users
Temat: Re: [Exim] tls certificate verification
On Tue, Sep 10, 2002 at 10:19:15AM +0100, Philip Hazel wrote:
> On Mon, 9 Sep 2002, Steve Haslam wrote:
>
> > host in tls_verify_hosts? yes (matched "*")
> > SMTP>> 220 TLS go ahead
> > Calling SSL_accept
> >
> > [ .. SSL gumpf here .. ]
> >
> > SSL_accept was successful
>
> ... which suggests it was happy with the certificate it received.


provided that the library understood it was supposed to check the
certificate... argh.

which OpenSSL version are you testing with? I'm using 0.9.6g

> > ... so, no messages from verify_callback() about the various stages of the
> > chain, which I think there should be.
>
> Hmm. This is an area where I'm floundering around much of the time.
> (Actually, that's true of most of OpenSSL, with the documentation I have
> managed to find at present.)


So you don't object to me spending some time poking around with
it? :)

> I do have a test for this stuff. I get debugging output from the server
> that looks like this when the client sends no certificate:


[debugging output]

ok, something funny is going on. I will continue to try and get the right
behaviour. I was also thinking along the lines of doing:

* Check DSA keys work (maybe I just need to set up a DH params file)

* Implement session cache db file (good for multiple msgs down the asme
channel since Exim reopens the SSL session for each message)

* Get randomness from EGD/PRNGD for systems without /dev/urandom (or with a
naff /dev/urandom)

SRH
--
Steve Haslam      Reading, UK                           araqnid@???
Debian GNU/Linux Maintainer                               araqnid@???
almost called it today, turned to face the void, numb with the suffering
and the question- "Why am I?"                                  [queensrÿche]