[exim] TLS and Client Certificate Verification

Top Page
Delete this message
Reply to this message
Author: Lars Mainka
Date:  
To: exim-users
Subject: [exim] TLS and Client Certificate Verification
Hello,

I am a little bit confused about the verification of client
certificates, so I get the documentation possibly wrong.

When I connect with my mailclient to the smtps port, there is a
successful TLS handshake and I can send my outgoing mail. So far so
good. I am wondering about, that the successful TLS negotiation seems
not to depend on the client cert in the tls_verify_certificates
directory, but rather on the CA cert in that directory.

In my mind, the directory must contain my client cert to allow the
client to connect to the mailserver, not only the CA cert. Is this wrong?

What I am looking for is a client authorization with certificates,
before anything else is possible for the client. I did a ktrace for the
whole process and the exim only verifies my client cert against the CA
cert, not against the other certs in the directory.

So the main question is: What do I have to do, to check on handshake
against the clients certificates?

I am using a self signed CA certificate and a cert for the mailserver
which is signed by the CA, the daemon_smtp_ports = smtp : smtps and
tls_on_connect_ports = 465 statements. My client MUA is on a host which
is listet in the tls_verify_hosts, the tls_certificate file contains the
CA cert, the mailserver cert and the mailservers private key.

System is FreeBSD 5.1-Release
OpenSSL 0.9.7e
Exim 4.44 with OpenSSL and MySQL support.

Thanx in advance,
(confused) Lars