Re: [Exim] $tls_peerdn / tls_try_verify_hosts on incoming co…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Lutz Pressler
Date:  
À: exim-users
Sujet: Re: [Exim] $tls_peerdn / tls_try_verify_hosts on incoming connections?
On Wed, 23 Jul 2003, Philip Hazel wrote:
> On Tue, 22 Jul 2003, Lutz Pressler wrote:
> > tested with Exim 4.20 to 4.20(5), I'm not able to get $tls_peerdn
> > (or the DN of the connecting server) set on incoming TLS connections.
> >
> > That's even with tls_try_verify_hosts = * and tls_verify_certificates set
> > to some dummy entries.
> >
> > As I read the documentation, the DN of the connecting host's certificate
> > should be available in this case, but it's not.
>
> If the client sends a certificate, [...]

It has turned out, that this was the problem. The server side behaves
correctly, but clients have to be prepared to send a client certificate -
and most aren't. For Exim as a client, you have to explicitly point to the
certificate (and key) to use as a client cert by using the
"tls_certificate" option within the smtp transport(s) definition(s).
That's independant of "tls_certificate" in the main section, which is
used for defining the server certificate. Both can point to the same
file though.

Lutz

--
  _              |  Lutz Pressler          |  Tel: ++49-551-3700002
 |_     |\ |     |  Service Network GmbH   |  FAX: ++49-551-3700009
 ._|ER  | \|ET   |  Bahnhofsallee 1b       |   mailto:lp@SerNet.DE
Service Network  |  D-37081 Goettingen     |  http://www.SerNet.DE/