This is a cryptographically signed message in MIME format.
--
I'd appreciate someone pointing out where I've gone wrong here...
I'm trying to get my server to verify a client's certificate. This is a
client that I already have successfully using TLS to connect to me.
I added the following to my config:
tls_verify_certificates = CONFDIR/client_certs
tls_try_verify_hosts = *
where CONFDIR/client_certs is a directory, containing the cert supplied
by my client:
CONFDIR = /etc/exim4
diz # cd /etc/exim4/client_certs && ls -l
total 4
lrwxr-xr-x 1 root root 12 Sep 20 20:18 09d99784.0 ->
gerhards.pem
-rw-r----- 1 root mail 1411 Sep 20 20:21 gerhards.pem
diz # openssl x509 -hash -noout -in gerhards.pem
09d99784
diz # head -1 gerhards.pem
-----BEGIN CERTIFICATE-----
With this in place, I get this error when the client tries to connect:
2003-09-20 20:22:09 TLS error on connection from
host81-136-212-215.in-addr.btopenworld.com (bike.thegerhards.com)
[81.136.212.215]:64887 (setup_certs): Certificate parsing error.
and worse, TLS itself has *failed* completely, not just failed to verify
the client cert. So the subsequent AUTH fails, since it's PLAIN, which I
only allow over TLS.
So, what have I done wrong, and why is TLS failing, given that I'm using
tls_try_verify_hosts and not tls_verify_hosts?
I assume it fails because this is some fatal error. I think that
tls_try_verify_hosts means exim should continue regardless if the client
cert can't be verified, but not if there's an error whilst trying to
verify...?
any ideas appreciated...
thanks.
cheers,
c.
--
Content-Description: S/MIME Cryptographic Signature
[ smime.p7s of type application/x-pkcs7-signature deleted ]
--
