[Exim] Re: Bug#220773: exim4 won't send client-side certific…

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
CC: 220773, Noah Meyerhans
Subject: [Exim] Re: Bug#220773: exim4 won't send client-side certificates
On Sat, Nov 15, 2003 at 04:51:31PM -0500, Noah L. Meyerhans wrote:
> On Sat, Nov 15, 2003 at 02:40:11PM +0100, Andreas Metzler wrote:
> > I've setup a test system on my local machine, with a second exim in
> > chroot that sends to the main exim.


> > It works for me if I follow this advice:

[...]
> > I.e. for exim as tls *client* you have to set
> > tls_certificate/tls_privatekey on the smtp-transport, the
> > main-configuration options tls_certificate/tls_privatekey are supposed
> > to _only_ change exim's behavior when acting as SMTP *server*.


> I'm well aware of how to configure client-side certificates in exim.


I was not. ;-)

> As I've said, it works as documented when exim is linked with
> openssl. But not with GNUTLS.


> >     SMTP>> STARTTLS
> >   read response data: size=18
> >     SMTP<< 220 TLS go ahead
> >   initializing GnuTLS as a client
> >   read RSA and D-H parameters from file
> >   initialized RSA and D-H parameters
> >   no TLS client certificate is specified


> Yes, but that gives no indication that a certificate actually would have
> been sent. That just says that the libraries looked for one and didn't
> find it. I get the same message if there is no certificate. If there
> is a certificate, all the debug output indicates that everything is
> working properly, but the certificate is never actually sent. Watching
> the conversation in tcpdump or ethereal is a very good way to see this.

[...]

My way of testing was using 'tls_verify_hosts = *' on the server-side
exim, which showed quite clearly in the debug outputs (of both exims)
that the client indeed sent a certificate. I'll crosscheck with an exim
linked against openssl acting as server, and will use $tls_peerdn and
$tls_certificate_verified in received_header_text to ease debugging.
                    cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"