Hi,
I've problem between two exims.
One Is a client whit compiled in GnuTLS support, other is a server
whit compiled in OpenSSL.
I've something like that in ACL on server side:
begin acl
check_recipient:
accept hosts = :
drop message = I don't take more than 20 RCPTs
condition = ${if > {$rcpt_count}{20}{yes}{no}}
[cut]
require message = Can't verify sender
verify = sender
message = Can't verify recipient
verify = recipient
accept recipients = postmaster@xxx
accept domains = +local_domains
accept hosts = +relay_hosts
accept hosts = +tls_relay_hosts
verify = certificate
accept hosts = +auth_relay_hosts
authenticated = *
deny message = relay not permitted
And
hostlist auth_relay_hosts = *
tls_try_verify_hosts = *
hostlist tls_relay_hosts = *
tls_verify_certificates = /etc/exim/certs
tls_certificate = /etc/ssl/certs/exim.pem
tls_privatekey = /etc/ssl/certs/exim.pem
I often use the same computer with linux/win2k and i need to
authenticate once using PLAIN TEXT and once using certs
On client side I've:
begin routers
smarthost:
driver = manualroute
domains = ! +local_domains
route_list = * pc-4.chomiczowka.waw.pl bydns
transport = remote_smtp
no_more
And in transport
remote_smtp:
driver = smtp
hosts_require_tls = pc-4.chomiczowka.waw.pl
tls_certificate = /etc/ssl/certs/exim-client.neptun.majcom-cert.pem
tls_privatekey = /etc/ssl/certs/exim-client.neptun.majcom-key.pem
tls_require_ciphers = AES : 3DES
For debug, I change in server from tls_try_verify_hosts to tls_verify_host.
and exim4 -bd -d+tls 2>&1|tee exim
12129 SMTP>> 250-pc-4.chomiczowka.waw.pl Hello
chello212186088174.chello.pl [212.186.88.174]
12129 250-SIZE 10485760
12129 250-8BITMIME
12129 250-PIPELINING
12129 250-AUTH PLAIN LOGIN
12129 250-STARTTLS
12129 250 HELP
12129 SMTP<< STARTTLS
12129 tls_certificate file /etc/ssl/certs/exim.pem
12129 tls_privatekey file /etc/ssl/certs/exim.pem
12129 Initialized TLS
12129 host in tls_verify_hosts? yes (matched "212.186.88.174")
12129 SMTP>> 220 TLS go ahead
12129 Calling SSL_accept
12129 SSL info: before/accept initialization
12129 SSL info: before/accept initialization
12129 SSL info: SSLv3 read client hello A
12129 SSL info: SSLv3 write server hello A
12129 SSL info: SSLv3 write certificate A
12129 SSL info: SSLv3 write certificate request A
12129 SSL info: SSLv3 flush data
12129 SSL info: SSLv3 read client certificate B
12129 SSL info: SSLv3 read client certificate B
12129 SSL info: SSLv3 read client certificate B
12129 LOG: MAIN
12129 TLS error on connection from chello212186088174.chello.pl
(marek.majcom) [212.186.88.174]:59145 (SSL_accept): error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
12129 TLS failed to start
12129 LOG: smtp_connection MAIN
12129 SMTP connection from chello212186088174.chello.pl
(marek.majcom) [212.186.88.174]:59145 closed by EOF
12129 search_tidyup called
13124 child 12129 ended: status=0x0
13124 0 SMTP accept processes now running
13124 Listening...
I try on client side to use:
$ gnutls-cli -s --x509keyfile key.pem --x509certfile cert.pem -p 25 pc-4.chomi>
Resolving 'pc-4.chomiczowka.waw.pl'...
Connecting to '195.136.32.4:25'...
- Simple Client Mode:
220 ESMTP neptun [pc-4.chomiczowka.waw.pl]
EHLO DUPA
250-pc-4.chomiczowka.waw.pl Hello chello212186088174.chello.pl [212.186.88.174]
250-SIZE 10485760
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
STARTTLS
220 TLS go ahead
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'pc-4.chomiczowka.waw.pl'.
# valid since: Sat Oct 18 23:33:17 CEST 2003
# expires at: Tue Oct 15 23:33:17 CEST 2013
# fingerprint: FF:82:CF:C2:41:16:94:1D:96:F3:31:7B:9D:51:C6:73
# Subject's DN:
C=PL,ST=mazowieckie,L=Warszawa,O=MajCom,OU=SMTP,CN=pc-4.chomiczowka.waw.pl,EMAIL=postmaster@???
# Issuer's DN:
C=PL,ST=mazowieckie,L=Warszawa,O=MajCom,OU=CA,CN=Marek
Majchrowski,EMAIL=majherek@???
- Certificate[1] info:
# valid since: Sat Oct 18 23:29:43 CEST 2003
# expires at: Tue Oct 15 23:29:43 CEST 2013
# fingerprint: A6:DE:68:8F:15:A3:B2:B9:F3:F6:E8:31:72:F1:32:43
# Subject's DN:
C=PL,ST=mazowieckie,L=Warszawa,O=MajCom,OU=CA,CN=Marek
Majchrowski,EMAIL=majherek@???
# Issuer's DN:
C=PL,ST=mazowieckie,L=Warszawa,O=MajCom,OU=CA,CN=Marek
Majchrowski,EMAIL=majherek@???
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
And everything is ok.
Can anybody tell me, why GnuTLS with OpenSSL in exim can't understand together?
Best Regard
--
Marek Maj(c)herek Majchrowski
Warsaw University of Technology
Faculty of Electronics and Information Technology