On Sat, 20 Sep 2003, Calum Mackay wrote:
> 2003-09-20 20:22:09 TLS error on connection from
> host81-136-212-215.in-addr.btopenworld.com (bike.thegerhards.com)
> [81.136.212.215]:64887 (setup_certs): Certificate parsing error.
I am not an expert in TLS, but that suggests that there is a problem
either in the certificate you have stashed for checking, or in the
certificate that the client has sent. The text of that error message is
coming from the TLS library, not from Exim itself.
> So, what have I done wrong, and why is TLS failing, given that I'm using
> tls_try_verify_hosts and not tls_verify_hosts?
tls_try_verify_hosts carries on if the TLS library says "certificate
doesn't match". This looks as though it is failing at a much earlier
stage.
> I assume it fails because this is some fatal error. I think that
> tls_try_verify_hosts means exim should continue regardless if the client
> cert can't be verified, but not if there's an error whilst trying to
> verify...?
That seems to be the way its interactions with the TLS library turn out.
If you try running with TLS debugging turned on (-d-all+tls) perhaps
some more information might be forthcoming - I would hope it would be
possible to deduce which certificate is causing the problem.
Philip
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book