Re: [Exim] Re: Bug#220773: exim4 won't send client-side cert…

Top Page
Delete this message
Reply to this message
Author: Noah Meyerhans
Date:  
To: Oliver Eikemeier
CC: Andreas Metzler, exim-users, 220773
Subject: Re: [Exim] Re: Bug#220773: exim4 won't send client-side certificates
--
--
On Mon, Nov 17, 2003 at 01:51:58AM +0100, Oliver Eikemeier wrote:
> Two useful tools in debugging my configuration where s_client(1) from
> OpenSSL and smtptest(1) from Cyrus-IMAPd. There is also an s_server(1)
> in OpenSSL, but afaik it doesn't support STARTTLS.


Yes, I have now tested things using the openssl s_client tool and the
GNUTLS gnutls-cli tools. The behavior indicates to me that something
is, in fact, wrong with GNUTLS. I don't see any sign of errors, but
gnutls-cli never sends a certificate. openssl s_client does.

I've attached the output of the two commands. If anybody spots anything
wrong with the conversations involved in either of them, let me know.
Otherwise, I'll take this up with the GNUTLS mailing lists. Though the
fact that GNUTLS works OK when talking to a sendmail+openssl server
makes me uncertain that even that is really the source of the problem.

noah

--
gnat:~# openssl s_client -connect 18.24.4.31:25 -cert /etc/exim4/gnat.client.pem -key /etc/exim4/gnat.client.key -CAfile /etc/exim4/certs/foo.pem -tls1
CONNECTED(00000003)
depth=2 /C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/CN=Master CA/emailAddress=bug-lcs-certificates@???
verify return:1
depth=1 /C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=SSL Servers/CN=SSL Server CA/emailAddress=bug-lcs-certificates@???
verify return:1
depth=0 /C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=SSL Servers/CN=incoming.csail.mit.edu
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=SSL Servers/CN=incoming.csail.mit.edu
   i:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=SSL Servers/CN=SSL Server CA/emailAddress=bug-lcs-certificates@???
 1 s:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=SSL Servers/CN=SSL Server CA/emailAddress=bug-lcs-certificates@???
   i:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/CN=Master CA/emailAddress=bug-lcs-certificates@???
 2 s:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/CN=Master CA/emailAddress=bug-lcs-certificates@???
   i:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/CN=Master CA/emailAddress=bug-lcs-certificates@???
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFcjCCBFqgAwIBAgIBIDANBgkqhkiG9w0BAQUFADCBxjELMAkGA1UEBhMCVVMx
FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEsMCoG
A1UEChMjTUlUIExhYm9yYXRvcnkgZm9yIENvbXB1dGVyIFNjaWVuY2UxFDASBgNV
BAsTC1NTTCBTZXJ2ZXJzMRYwFAYDVQQDEw1TU0wgU2VydmVyIENBMS8wLQYJKoZI
hvcNAQkBFiBidWctbGNzLWNlcnRpZmljYXRlc0BMQ1MuTUlULkVEVTAeFw0wMzA4
MDUyMTAwMDFaFw0wNDA4MDQyMTAwMDFaMIGeMQswCQYDVQQGEwJVUzEWMBQGA1UE
CBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMSwwKgYDVQQKEyNN
SVQgTGFib3JhdG9yeSBmb3IgQ29tcHV0ZXIgU2NpZW5jZTEUMBIGA1UECxMLU1NM
IFNlcnZlcnMxHzAdBgNVBAMTFmluY29taW5nLmNzYWlsLm1pdC5lZHUwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt94a7UwjHgjvh8JKItdAgu6on+R63
YmNCmmjQ8B2y2hRSweWXYE5IBb1IuQhjpjcv9yNhOrZaj3y0p6bhirp4dJDT/L7z
p3rOoWS30Sll2Sch8cS7iiOYEjoXJmKMnfXJErK8WHfdbbKD4P+R2dfBcXlWCg+h
DW8kK7ZstMu3OQXhyQ7nrtW+rbrwQbuDbnOD79cxBCNmrIU3mKTaBT0YscscC8DQ
RdIYTlpDndkgO1qjlPFCf5zIXtFkl91Q6HXLbdrEkRTjbFnULPI0QahjiZ7j2FQP
mJRxzFikNVsuifPe8/oEw/Vg/laY7ufzivkh3YG6hJmyzXBCJB/ZGikdAgMBAAGj
ggGPMIIBizAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMC
BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFJppRv7W5nUNmJpqv6as
uhy+hZG2MIHZBgNVHSMEgdEwgc6AFG79jk9xNSDE7wB3lViZHVu6wcrkoYGypIGv
MIGsMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UE
BxMJQ2FtYnJpZGdlMSwwKgYDVQQKEyNNSVQgTGFib3JhdG9yeSBmb3IgQ29tcHV0
ZXIgU2NpZW5jZTESMBAGA1UEAxMJTWFzdGVyIENBMS8wLQYJKoZIhvcNAQkBFiBi
dWctbGNzLWNlcnRpZmljYXRlc0BsY3MubWl0LmVkdYIBBjAhBgNVHREEGjAYghZp
bmNvbWluZy5jc2FpbC5taXQuZWR1MCsGA1UdEgQkMCKBIGJ1Zy1sY3MtY2VydGlm
aWNhdGVzQExDUy5NSVQuRURVMA0GCSqGSIb3DQEBBQUAA4IBAQChY+dJCr/z04zB
tOnX3Pol2/RfTpMn9rLrti8Rguemu5GUiziAgDwfBnxyl9+zpO/c+gfv/IRt8fqJ
WLTvPYIYGH7VNEyBWGKxDmjUHka+TQ6zn2pBPPPLyBT1P9eWLwpUvjV5XdK1/7xO
lEvbg7fdcIQYzEAasW6/XjM0vdZrHYZOkM/52rNGih8B6drgXVnGcu5qHoAuA1rd
RDGl7QpmSJ7pkGqVODzhRr4rsrRGgomHbARezumBbKgHrlc9Cg7ivvXQ0aN4G5LF
xhjiTIwc4o0fM8cJQPxjM5iy/KXa9gdWHsFtHT4ziiDeUEyOVdrpeXaw5p+n8jfU
5lnrlF/d
-----END CERTIFICATE-----
subject=/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=SSL Servers/CN=incoming.csail.mit.edu
issuer=/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=SSL Servers/CN=SSL Server CA/emailAddress=bug-lcs-certificates@???
---
No client certificate CA names sent
---
SSL handshake has read 4330 bytes and written 2136 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: C5FB7D4AE3983F2FBEE4939E8911B57DFC4B4BF250F4FAA17703233D006C70C7
    Session-ID-ctx:
    Master-Key: 7B030AC4F14DDB89D0D59B1F98721EC00C26A62072A48A7CCE13B70B7AA07E16F00AD6C5DBC9E1896BFAAF7628B864F7
    Key-Arg   : None
    Start Time: 1069045997
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
220 mx-stage.csail.mit.edu ESMTP Exim 4.22 Mon, 17 Nov 2003 00:15:25 -0500
ehlo gnat
250-mx-stage.csail.mit.edu Hello aphid.morgul.net [66.92.78.252]
250-SIZE 52428800
250-PIPELINING
250-AUTH CRAM-MD5
250 HELP
mail from:<noahm@???>
250 OK
rcpt to:<frodo@???>
250 Accepted
quit
221 mx-stage.csail.mit.edu closing connection


--
gnat:~# gnutls-cli -p 25 --x509cafile /etc/exim4/certs/foo.pem --x509keyfile /etc/exim4/gnat.client.key --x509certfile /etc/exim4/gnat.client.pem mx-stage.csail.mit.edu
Processed 2 CA certificate(s).
Resolving 'mx-stage.csail.mit.edu'...
Connecting to '18.24.4.31:25'...
- Certificate type: X.509
- Certificate info:
# Certificate is valid since: Tue Aug 5 17:00:00 EDT 2003
# Certificate expires: Wed Aug 4 17:00:00 EDT 2004
# Certificate fingerprint: 9a 4b f1 3f 69 e0 c7 be 52 60 6b 8c 0d 61 cb 26
# Certificate serial number: 20
# Certificate version: #3
# Certificate public key algorithm: RSA
# Modulus: 2048 bits
# CN=incoming.csail.mit.edu,OU=SSL Servers,O=MIT Laboratory for Computer Science,L=Cambridge,ST=Massachusetts,C=US
# Certificate Issuer's info:
# CN=SSL Server CA,E=bug-lcs-certificates@???,OU=SSL Servers,O=MIT Laboratory for Computer Science,L=Cambridge,ST=Massachusetts,C=US

- Peer's certificate is trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: ARCFOUR 128
- MAC: SHA
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

220 mx-stage.csail.mit.edu ESMTP Exim 4.22 Sun, 16 Nov 2003 23:35:50 -0500
ehlo gnat
250-mx-stage.csail.mit.edu Hello aphid.morgul.net [66.92.78.252]
250-SIZE 52428800
250-PIPELINING
250-AUTH CRAM-MD5
250 HELP
mail from:<noahm@???>
250 OK
rcpt to:<frodo@???>
550 relay not permitted
quit
221 mx-stage.csail.mit.edu closing connection
- Peer has closed the GNUTLS connection

--
Content-Description: Digital signature

[ signature.asc of type application/pgp-signature deleted ]
--