[Exim] TLS: no luck with verifying clients

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Calum Mackay
Date:  
À: exim-users
Sujet: [Exim] TLS: no luck with verifying clients
This is a cryptographically signed message in MIME format.
--
I'd appreciate someone pointing out where I've gone wrong here...

I'm trying to get my server to verify a client's certificate. This is a
client that I already have successfully using TLS to connect to me.

I added the following to my config:

    tls_verify_certificates = CONFDIR/client_certs
    tls_try_verify_hosts = *


where CONFDIR/client_certs is a directory, containing the cert supplied
by my client:

    CONFDIR = /etc/exim4


diz # cd /etc/exim4/client_certs && ls -l
total 4
lrwxr-xr-x    1 root     root           12 Sep 20 20:18 09d99784.0 ->
gerhards.pem
-rw-r-----    1 root     mail         1411 Sep 20 20:21 gerhards.pem
diz # openssl x509 -hash -noout -in gerhards.pem
09d99784
diz # head -1 gerhards.pem
-----BEGIN CERTIFICATE-----


With this in place, I get this error when the client tries to connect:

2003-09-20 20:22:09 TLS error on connection from
host81-136-212-215.in-addr.btopenworld.com (bike.thegerhards.com)
[81.136.212.215]:64887 (setup_certs): Certificate parsing error.

and worse, TLS itself has *failed* completely, not just failed to verify
the client cert. So the subsequent AUTH fails, since it's PLAIN, which I
only allow over TLS.

So, what have I done wrong, and why is TLS failing, given that I'm using
tls_try_verify_hosts and not tls_verify_hosts?

I assume it fails because this is some fatal error. I think that
tls_try_verify_hosts means exim should continue regardless if the client
cert can't be verified, but not if there's an error whilst trying to
verify...?

any ideas appreciated...

thanks.

cheers,
c.
--
Content-Description: S/MIME Cryptographic Signature

[ smime.p7s of type application/x-pkcs7-signature deleted ]
--