Re: [Exim] TLS: no luck with verifying clients

Top Page
Delete this message
Reply to this message
Author: Jonathan G - Mailing List
Date:  
To: exim-users
CC: Calum Mackay, ph10
Subject: Re: [Exim] TLS: no luck with verifying clients
Hi all,

i have running Exim 4.22 + Exiscan-ACL with TSL support (AES256-SHA1)
and i have experienced a similar problem. The solution in my case were
so easy. Be sure the cert file have enough permision to be read by the
user that runs Exim and (in you want) if it's owned bu such user.

In my case my certificates are owned by user mail, whom is the user that
executes Exim, and the certs, both, are chmod'ed 600.

If you want to know how i have configured TSL in my Exim box just go to
http://www.surestorm.com/data/Exim_exim.conf.html and take a look. I use
TLS to encrypt the session and avoid send user and password in clear,
just this.

Best regards,

jonathan


PS.: thie is a peace of one of my headers:

"from ss2.bluebird.ibm.com ([129.42.208.140] helo=surestorm.com) by
soho.surestorm.com with asmtp (TLSv1:AES256-SHA:256) (Exim 4.22) id
1A1NuH-0004Gt-W8 for jonathan.gonzalez@???; Mon, 22 Sep 2003
12:27:02 +0200"


Philip Hazel wrote:

> On Sat, 20 Sep 2003, Calum Mackay wrote:
>
>
>>2003-09-20 20:22:09 TLS error on connection from
>>host81-136-212-215.in-addr.btopenworld.com (bike.thegerhards.com)
>>[81.136.212.215]:64887 (setup_certs): Certificate parsing error.
>
>
> I am not an expert in TLS, but that suggests that there is a problem
> either in the certificate you have stashed for checking, or in the
> certificate that the client has sent. The text of that error message is
> coming from the TLS library, not from Exim itself.
>
>
>>So, what have I done wrong, and why is TLS failing, given that I'm using
>>tls_try_verify_hosts and not tls_verify_hosts?
>
>
> tls_try_verify_hosts carries on if the TLS library says "certificate
> doesn't match". This looks as though it is failing at a much earlier
> stage.
>
>
>>I assume it fails because this is some fatal error. I think that
>>tls_try_verify_hosts means exim should continue regardless if the client
>>cert can't be verified, but not if there's an error whilst trying to
>>verify...?
>
>
> That seems to be the way its interactions with the TLS library turn out.
> If you try running with TLS debugging turned on (-d-all+tls) perhaps
> some more information might be forthcoming - I would hope it would be
> possible to deduce which certificate is causing the problem.
>
> Philip
>
> --
> Philip Hazel            University of Cambridge Computing Service,
> ph10@???      Cambridge, England. Phone: +44 1223 334714.
> Get the Exim 4 book:    http://www.uit.co.uk/exim-book

>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>


--
__________________________________________________________________
Jonathan Gonzalez - SureStorm.com Security Site - Madrid/MA/SPAIN
http://www.surestorm.com - GnuPG Key ID = 0xAA3EAC08

/"\
\ / ASCII RIBBON CAMPAIGN
X Against HTML mail & Microsoft attachments
/ \