Re: [Exim] Re: Bug#220773: exim4 won't send client-side cert…

Top Page
Delete this message
Reply to this message
Author: Mark Foster
Date:  
To: exim-users, Noah Meyerhans, 220773-forwarded
Subject: Re: [Exim] Re: Bug#220773: exim4 won't send client-side certificates
On Fri, Nov 14, 2003 at 04:14:39PM +0100, Andreas Metzler wrote:
> Hello,
> This is Bug#220773, reported against Debian GNU/Linux' bug tracking
> sytem, I cannot verify it locally as I am not using TLS certificate
> verification. Please cc both the bug-submitter and 220773-forwarded@??? on followups, thanks.
>
> On Fri, Nov 14, 2003 at 09:50:14AM -0500, Noah Meyerhans wrote:
> > Package: exim4-daemon-heavy
> > Version 4.24-3
> >
> > Exim doesn't send a certificate when operating on the client-end of a
> > secure SMTP conversation, even when properly configured. I suspect
> > that this is either a bug with GNUTLS or with the Exim upstream sources.
> > Exim behaves correctly when built against the OpenSSL libraries. This
> > is going to cause my organization problems when sarge is released, as
> > Debian is our standard Unix OS and we use certificate-based
> > authentication to control relaying on our central mail server (which
> > also runs Debian, though it uses a local build of Exim 4 as it's running
> > woody).
> >
> > The feature that is busted is described in section 36.4 of the exim spec
> > at http://www.exim.org/exim-html-4.20/doc/html/spec.html
> >
> > When watching exim in debug mode, it's clear that it is looking for and
> > finding the certificates, and it's not given any errors related to them.
> > But it never sends them.
> >
> > I don't have the debug output handy right now, but can provide it and
> > tcpdump output if you want to see it.
>


I can confirm that exim-4.22 on FreeBSD DOES send the client certificate
to a postfix MTA... as long as postfix requests it[1]. The question is, does
exim, acting as a TLS client automatically send the certificate it has, or
does it only do so when asked for it?

[1] The postfix main.cf option for this behaviour is smtpd_tls_ask_ccert = yes
ref: http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/conf.html

--
Some days it's just not worth chewing through the restraints...
Mark Foster <mark@???> http://mark.foster.cc/