[exim] exim4 client with GnuTLS and exim4 server with OpenSS…

Top Page
Delete this message
Reply to this message
Author: Marek Maj\(c\)herek Majchrowski
Date:  
To: exim-users
Subject: [exim] exim4 client with GnuTLS and exim4 server with OpenSSL and certificate problem
Hi,
I've problem between two exims.

One Is a client whit compiled in GnuTLS support, other is a server
whit compiled in OpenSSL.

I've something like that in ACL on server side:

begin acl

check_recipient:
  accept  hosts         = :
  drop    message     = I don't take more than 20 RCPTs
            condition     = ${if > {$rcpt_count}{20}{yes}{no}}


[cut]

 require message       = Can't verify sender
          verify        = sender
          message       = Can't verify recipient
          verify        = recipient


  accept  recipients    = postmaster@xxx


  accept  domains       = +local_domains


  accept  hosts         = +relay_hosts


  accept  hosts         = +tls_relay_hosts
             verify        = certificate


  accept  hosts         = +auth_relay_hosts
              authenticated = *


  deny    message       = relay not permitted


And
hostlist auth_relay_hosts = *
tls_try_verify_hosts = *
hostlist tls_relay_hosts = *
tls_verify_certificates = /etc/exim/certs
tls_certificate = /etc/ssl/certs/exim.pem
tls_privatekey = /etc/ssl/certs/exim.pem

I often use the same computer with linux/win2k and i need to
authenticate once using PLAIN TEXT and once using certs

On client side I've:
begin routers
smarthost:
driver = manualroute
domains = ! +local_domains
route_list = * pc-4.chomiczowka.waw.pl bydns
transport = remote_smtp
no_more


And in transport
remote_smtp:
driver = smtp
hosts_require_tls = pc-4.chomiczowka.waw.pl
tls_certificate = /etc/ssl/certs/exim-client.neptun.majcom-cert.pem
tls_privatekey = /etc/ssl/certs/exim-client.neptun.majcom-key.pem
tls_require_ciphers = AES : 3DES

For debug, I change in server from tls_try_verify_hosts to tls_verify_host.

and exim4 -bd -d+tls 2>&1|tee exim

12129 SMTP>> 250-pc-4.chomiczowka.waw.pl Hello
chello212186088174.chello.pl [212.186.88.174]
12129 250-SIZE 10485760
12129 250-8BITMIME
12129 250-PIPELINING
12129 250-AUTH PLAIN LOGIN
12129 250-STARTTLS
12129 250 HELP
12129 SMTP<< STARTTLS
12129 tls_certificate file /etc/ssl/certs/exim.pem
12129 tls_privatekey file /etc/ssl/certs/exim.pem
12129 Initialized TLS
12129 host in tls_verify_hosts? yes (matched "212.186.88.174")
12129 SMTP>> 220 TLS go ahead
12129 Calling SSL_accept
12129 SSL info: before/accept initialization
12129 SSL info: before/accept initialization
12129 SSL info: SSLv3 read client hello A
12129 SSL info: SSLv3 write server hello A
12129 SSL info: SSLv3 write certificate A
12129 SSL info: SSLv3 write certificate request A
12129 SSL info: SSLv3 flush data
12129 SSL info: SSLv3 read client certificate B
12129 SSL info: SSLv3 read client certificate B
12129 SSL info: SSLv3 read client certificate B
12129 LOG: MAIN
12129 TLS error on connection from chello212186088174.chello.pl
(marek.majcom) [212.186.88.174]:59145 (SSL_accept): error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
12129 TLS failed to start
12129 LOG: smtp_connection MAIN
12129 SMTP connection from chello212186088174.chello.pl
(marek.majcom) [212.186.88.174]:59145 closed by EOF
12129 search_tidyup called
13124 child 12129 ended: status=0x0
13124 0 SMTP accept processes now running
13124 Listening...


I try on client side to use:

$ gnutls-cli -s --x509keyfile key.pem --x509certfile cert.pem -p 25 pc-4.chomi>
Resolving 'pc-4.chomiczowka.waw.pl'...
Connecting to '195.136.32.4:25'...

- Simple Client Mode:

220 ESMTP neptun [pc-4.chomiczowka.waw.pl]
EHLO DUPA
250-pc-4.chomiczowka.waw.pl Hello chello212186088174.chello.pl [212.186.88.174]
250-SIZE 10485760
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
STARTTLS
220 TLS go ahead
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.

- Certificate[0] info:
# The hostname in the certificate matches 'pc-4.chomiczowka.waw.pl'.
# valid since: Sat Oct 18 23:33:17 CEST 2003
# expires at: Tue Oct 15 23:33:17 CEST 2013
# fingerprint: FF:82:CF:C2:41:16:94:1D:96:F3:31:7B:9D:51:C6:73
# Subject's DN:
C=PL,ST=mazowieckie,L=Warszawa,O=MajCom,OU=SMTP,CN=pc-4.chomiczowka.waw.pl,EMAIL=postmaster@???
# Issuer's DN:
C=PL,ST=mazowieckie,L=Warszawa,O=MajCom,OU=CA,CN=Marek
Majchrowski,EMAIL=majherek@???

- Certificate[1] info:
# valid since: Sat Oct 18 23:29:43 CEST 2003
# expires at: Tue Oct 15 23:29:43 CEST 2013
# fingerprint: A6:DE:68:8F:15:A3:B2:B9:F3:F6:E8:31:72:F1:32:43
# Subject's DN:
C=PL,ST=mazowieckie,L=Warszawa,O=MajCom,OU=CA,CN=Marek
Majchrowski,EMAIL=majherek@???
# Issuer's DN:
C=PL,ST=mazowieckie,L=Warszawa,O=MajCom,OU=CA,CN=Marek
Majchrowski,EMAIL=majherek@???


- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL


And everything is ok.

Can anybody tell me, why GnuTLS with OpenSSL in exim can't understand together?

Best Regard
--
Marek Maj(c)herek Majchrowski
Warsaw University of Technology
Faculty of Electronics and Information Technology