Author: Oliver Eikemeier Date: To: Noah Meyerhans CC: Andreas Metzler, exim-users, 220773 Subject: Re: [Exim] Re: Bug#220773: exim4 won't send client-side certificates
Noah Meyerhans wrote:
> --
> OK, I've figured some more stuff out here...
>
> On the server, I replaced tls_try_verify_hosts = * with the stricter
> tls_verify_hosts = * in the global settings. This lead the server to
> log the following error when running with TLS debugging turned on.
>
> 13064 TLS error on connection from aphid.morgul.net (localhost) [66.92.78.252] (SSL_accept): error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
>
> So this basically seems to confirm my original observation that the exim
> client simply wouldn't send a certificate when the client requested one.
>
> Now... Here's the *really weird* part. Just for fun, I tried
> configuring my exim4 client to relay through a server runnnig
> *sendmail*, and everything worked! So now the situation is even more
> unbelievable.
>
> It seems that the problem might actually be on the server side of exim,
> now. The client is clearly capable of sending a certificate, as I see
> it doing just that when talking to a sendmail server. Additionally, the
> exim4 server is capable of requesting and verifying certificates, as I
> see it doing just that when using e.g. mozilla as a client.
>
> Argh... Does anybody know how to go about debugging the certificate
> exchange? I don't know much about it at all, and don't know how to
> debug the actual conversation that takes place between the two machines.
> I have full access to both the client and server in this case, and can
> modify code... I might do just that, in an attempt to generate more
> verbose output. I'll also check the GNUTLS docs for pointers.
> Assistance is much appreciated, in any case.
>
> noah
Two useful tools in debugging my configuration where s_client(1) from
OpenSSL and smtptest(1) from Cyrus-IMAPd. There is also an s_server(1)
in OpenSSL, but afaik it doesn't support STARTTLS.
Perhaps debugging will be easier on the server side if you start exim
on port smtps (465) with exim -tls-on-connect