On Sat, Nov 15, 2003 at 04:51:31PM -0500, Noah L. Meyerhans wrote:
> On Sat, Nov 15, 2003 at 02:40:11PM +0100, Andreas Metzler wrote:
> > I've setup a test system on my local machine, with a second exim in
> > chroot that sends to the main exim.
> > It works for me if I follow this advice:
[...]
> > I.e. for exim as tls *client* you have to set
> > tls_certificate/tls_privatekey on the smtp-transport, the
> > main-configuration options tls_certificate/tls_privatekey are supposed
> > to _only_ change exim's behavior when acting as SMTP *server*.
> I'm well aware of how to configure client-side certificates in exim.
I was not. ;-)
> As I've said, it works as documented when exim is linked with
> openssl. But not with GNUTLS.
> > SMTP>> STARTTLS
> > read response data: size=18
> > SMTP<< 220 TLS go ahead
> > initializing GnuTLS as a client
> > read RSA and D-H parameters from file
> > initialized RSA and D-H parameters
> > no TLS client certificate is specified
> Yes, but that gives no indication that a certificate actually would have
> been sent. That just says that the libraries looked for one and didn't
> find it. I get the same message if there is no certificate. If there
> is a certificate, all the debug output indicates that everything is
> working properly, but the certificate is never actually sent. Watching
> the conversation in tcpdump or ethereal is a very good way to see this.
[...]
My way of testing was using 'tls_verify_hosts = *' on the server-side
exim, which showed quite clearly in the debug outputs (of both exims)
that the client indeed sent a certificate. I'll crosscheck with an exim
linked against openssl acting as server, and will use $tls_peerdn and
$tls_certificate_verified in received_header_text to ease debugging.
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
