[Exim] Re: Bug#220773: exim4 won't send client-side certific…

Pàgina inicial
Delete this message
Reply to this message
Autor: Noah Meyerhans
Data:  
A: Andreas Metzler, exim-users, 220773
Assumpte: [Exim] Re: Bug#220773: exim4 won't send client-side certificates
--
OK, I've figured some more stuff out here...

On the server, I replaced tls_try_verify_hosts = * with the stricter
tls_verify_hosts = * in the global settings. This lead the server to
log the following error when running with TLS debugging turned on.

13064 TLS error on connection from aphid.morgul.net (localhost) [66.92.78.252] (SSL_accept): error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

So this basically seems to confirm my original observation that the exim
client simply wouldn't send a certificate when the client requested one.

Now... Here's the *really weird* part. Just for fun, I tried
configuring my exim4 client to relay through a server runnnig
*sendmail*, and everything worked! So now the situation is even more
unbelievable.

It seems that the problem might actually be on the server side of exim,
now. The client is clearly capable of sending a certificate, as I see
it doing just that when talking to a sendmail server. Additionally, the
exim4 server is capable of requesting and verifying certificates, as I
see it doing just that when using e.g. mozilla as a client.

Argh... Does anybody know how to go about debugging the certificate
exchange? I don't know much about it at all, and don't know how to
debug the actual conversation that takes place between the two machines.
I have full access to both the client and server in this case, and can
modify code... I might do just that, in an attempt to generate more
verbose output. I'll also check the GNUTLS docs for pointers.
Assistance is much appreciated, in any case.

noah

--
[ Content of type application/pgp-signature deleted ]
--