Re: [exim] TLS error: Error while reading file - which file?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Philip Hazel
Datum:  
To: Marc Haber
CC: exim-users
Betreff: Re: [exim] TLS error: Error while reading file - which file?
On Wed, 24 Nov 2004, Marc Haber wrote:

> On Wed, 24 Nov 2004 10:21:19 +0000 (GMT), Philip Hazel
> <ph10@???> wrote:
> >On Wed, 24 Nov 2004, Marc Haber wrote:
> >> When exim 4.43 cannot find the certificate file when doing starttls,
> >> it logs "TLS error on connection from $HOST: (cert/key setup): Error
> >> while reading file.".
> >>
> >> It would be helpful if the path being accessed would be logged as
> >> well: It helps spotting obvious typos, and it helps determining
> >> whether key or cert is not found.
> >
> >OpenSSL or GnuTLS?
>
> GnuTLS.


The string "Error while reading file." is the output from the function
gnutls_strerror(), which is called to get some text for the error number
that has been returned. Pity it doesn't include the name of the file it
is trying to read.

However, for that particular error, it should be possible to add the
file names (certificate and key) into the comment in parentheses. Yes,
it's easy. I have done it. The error now reads like this:

  TLS error on connection from (rhu.barb) [::1] (cert/key setup: 
    cert=/non/exist key=/non/exist): Error while reading file.


Patch below.

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book




*** exim-4.43/src/tls-gnu.c Tue Oct  5 09:32:08 2004
--- tls-gnu.c    Thu Nov 25 10:04:48 2004
***************
*** 459,465 ****
      cert_expanded, key_expanded);
    rc = gnutls_certificate_set_x509_key_file(x509_cred, CS cert_expanded,
      CS key_expanded, GNUTLS_X509_FMT_PEM);
!   if (rc < 0) return tls_error(US"cert/key setup", host, rc);
    }


  /* A certificate is mandatory in a server, but not in a client */
--- 461,472 ----
      cert_expanded, key_expanded);
    rc = gnutls_certificate_set_x509_key_file(x509_cred, CS cert_expanded,
      CS key_expanded, GNUTLS_X509_FMT_PEM);
!   if (rc < 0) 
!     {
!     uschar *msg = string_sprintf("cert/key setup: cert=%s key=%s",
!       cert_expanded, key_expanded); 
!     return tls_error(msg, host, rc);
!     } 
    }


/* A certificate is mandatory in a server, but not in a client */