Re: [Exim] possible bug in cert verification

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Mark Foster
CC: exim-users
Subject: Re: [Exim] possible bug in cert verification
On Fri, 23 Jan 2004, Mark Foster wrote:

> It appears that the $tls_certificate_verified is being set to 1 even if the
> client certificate is expired. See http://test.smtp.org/ for more info.
> Can anyone confirm?
>
> 2004-01-23 09:21:55 SSL verify error: depth=0 error=certificate has expired cert=/C=US/ST=California/L=Emeryville/O=test.smtp.org/CN=test.smtp.org/emailAddress=postmaster@???
> 2004-01-23 09:21:55 SSL verify error: depth=0 error=certificate has expired cert=/C=US/ST=California/L=Emeryville/O=test.smtp.org/CN=test.smtp.org/emailAddress=postmaster@???
> 2004-01-23 09:21:55 H=horsey.gshapiro.net (test.smtp.org) [64.105.95.154] Warning: verified peer dn /C=US/ST=California/L=Emeryville/O=test.smtp.org/CN=test.smtp.org/emailAddress=postmaster@???
> 2004-01-23 09:21:58 1Ak50F-000PIX-Th <= <> H=horsey.gshapiro.net (test.smtp.org) [64.105.95.154] P=esmtp X=TLSv1:AES256-SHA:256 DN="/C=US/ST=California/L=Emeryville/O=test.smtp.org/CN=test.smtp.org/emailAddress=postmaster@???" S=3390 id=200401231721.i0NHLpQr086509@???


Odd that it logs a verify error and still thinks it verified. Problem
noted. Hopefully one day I'll get time to check it out. (I'm feeling
rather snowed under just at the moment.)



--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book