Re: [Exim] Re: Bug#220773: exim4 won't send client-side cert…

Página Inicial
Delete this message
Reply to this message
Autor: Andreas Metzler
Data:  
Para: exim-users
CC: Noah Meyerhans, 220773
Assunto: Re: [Exim] Re: Bug#220773: exim4 won't send client-side certificates
On Fri, Nov 14, 2003 at 04:14:39PM +0100, Andreas Metzler wrote:
> On Fri, Nov 14, 2003 at 09:50:14AM -0500, Noah Meyerhans wrote:
> > Package: exim4-daemon-heavy
> > Version 4.24-3


> > Exim doesn't send a certificate when operating on the client-end of a
> > secure SMTP conversation, even when properly configured. I suspect
> > that this is either a bug with GNUTLS or with the Exim upstream sources.
> > Exim behaves correctly when built against the OpenSSL libraries.

[...]
> > When watching exim in debug mode, it's clear that it is looking for and
> > finding the certificates, and it's not given any errors related to them.
> > But it never sends them.

[...]

I've setup a test system on my local machine, with a second exim in
chroot that sends to the main exim.

It works for me if I follow this advice:
| 36.4 Configuring an Exim client to use TLS

[...]
| The "tls_certificate" and "tls_privatekey" options of the smtp transport
| provide the client with a certificate, which is passed to the server if it
| requests it. If the server is Exim, it will request a certificate only if
| "tls_verify_hosts" or "tls_try_verify_hosts" matches the client.


I.e. for exim as tls *client* you have to set
tls_certificate/tls_privatekey on the smtp-transport, the
main-configuration options tls_certificate/tls_privatekey are supposed
to _only_ change exim's behavior when acting as SMTP *server*.

And with -d I get this, if the transport options are not set:

    SMTP>> STARTTLS
  read response data: size=18
    SMTP<< 220 TLS go ahead
  initializing GnuTLS as a client
  read RSA and D-H parameters from file
  initialized RSA and D-H parameters
  no TLS client certificate is specified


If exim linked against OpenSSL behaves differently it would contradict the
documentation.

Noah, can you show us the respective sections of your configuration?
                cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"