[exim] Problem with client certificate verification

Top Page
Delete this message
Reply to this message
Author: Steffen Mueller
Date:  
To: exim-users
Subject: [exim] Problem with client certificate verification
Hello,

I'm new to Exim (and mail servers in general) and trying to setup a mail
server for my LAN. All clients that want to send mail to other domains
should be required to authenticate themselves with a client certificate.

My TLS configuration:

tls_advertise_hosts    = *
tls_certificate        = /var/ssl/server/exim.crt
tls_private_key        = /var/ssl/server/exim.key
tls_verify_certificates    = /var/ssl/ca/ca.crt
tls_verify_hosts    = *
tls_try_verify_hosts    = *


Every client (I'm using Thunderbird) should now submit the client
certificate to the server and the server should verify the certificate
with /var/ssl/ca/ca.crt (that is my CA certificate which was used to
sign the client cert).

I've created all certificates with OpenSSL, but the client certificates
can not be verified:

[...]
1665 host in tls_advertise_hosts? yes (matched "*")
1665 SMTP>> 250-localhost.localdomain Hello [192.168.1.1] [192.168.1.1]
1665 250-SIZE 52428800
1665 250-PIPELINING
1665 250-STARTTLS
1665 250 HELP
1665 SMTP<< STARTTLS
1665 initializing GnuTLS as a server
1665 read RSA and D-H parameters from file
1665 initialized RSA and D-H parameters
1665 certificate file = /var/ssl/server/exim.crt
1665 key file = /var/ssl/server/exim.key
1665 verify certificates = /var/ssl/ca/ca.crt size=745
1665 initialized certificate stuff
1665 host in tls_verify_hosts? yes (matched "*")
1665 initialized GnuTLS session
1665 SMTP>> 220 TLS go ahead
1665 gnutls_handshake was successful
1665 TLS certificate verification failed (invalid):
peerdn=C=DE,ST=Thuringia,O=test1,OU=Users,CN=user,EMAIL=user@test1
1665 LOG: MAIN
1665 TLS error on connection from ([192.168.1.1]) [192.168.1.1]:3389:
certificate verification failed (invalid)
1665 TLS failed to start
1665 LOG: smtp_connection MAIN
1665 SMTP connection from ([192.168.1.1]) [192.168.1.1]:3389
I=[192.168.1.11]:25 closed by EOF
1665 search_tidyup called
1662 child 1665 ended: status=0x0
1662 0 SMTP accept processes now running
[...]

The commands I used to create the certificates are (without the commands
to create the server certificates):

# create ca key
openssl genrsa -out ca/ca.key
# create ca sign request
openssl req -new -key ca/ca.key -out ca/ca.csr
# sign the request
openssl x509 -req -in ca/ca.csr -out ca/ca.crt -signkey ca/ca.key

# create client key
openssl genrsa -des3 -out user/user.key 1024
# client cert request
openssl req -new -key user/user.key -out user/user.csr
# sign client cert
openssl ca -in user/user.csr -cert ca/ca.crt -keyfile ca/ca.key \
    -out user/user.crt
# create pkcs12 cert for thunderbird
openssl pkcs12 -export -clcerts -in user/user.crt -inkey user/user.key \
    -out ./user/user.p12


I imported the user.p12 in Thunderbird and as the debug output above
shows the client certificate is send to the server, but can not be
verified with the CA certificate (ca.crt). (TLS connections without
client verification do work.)

When I use the certificates for client verification on an Apache
webserver everything works as expected.

Any idea what I'm doing wrong?

Thanks,
Steffen Mueller