[exim] Rejected connections with TLS

Top Page
Delete this message
Reply to this message
Author: Neil Youngman
Date:  
To: exim-users
Subject: [exim] Rejected connections with TLS
OK, I've read the FAQ and I don't think this is quite the situation described in the FAQ.

The relevant configuration

bash-2.05a$ grep '^tls_' /path/to/exim.cfg
tls_advertise_hosts = *
tls_try_verify_hosts = *
tls_verify_certificates = /path/to/cacert.pem
tls_certificate = /path/to/host.crt
tls_privatekey = /path/to/host.key
bash-2.05a$ ls -l /path/to/cacert.pem 
-rwxr-xr-x    1 root     exim             0 Nov 24  2005 /path/to/cacert.pem
bash-2.05a$ 


The cacert.pem is definitely readable by the Exim user, but it's empty, so nothing is going to match. As I understand it, if nothing matches, the connection should continue, encrypted, but not verified.

What we actually see is

12/12/2006 09:10:34 Router: No messages transferred to MAIL.EXAMPLE.NET (host mail1.EXAMPLE.NET) via SMTP: SSL bad peer certificate. Connection refused

and in the exim log we see

2006-12-12 09:10:14 TLS error on connection from (tlsmail02.example.com) [123.111.100.123] (SSL_accept): error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)

As I read the docs, if it doesn't accept the certificate it should continue anyway. In this instance it doesn't seem to do that. Is that becasue it's a deeper problem than a rejected certificate, or am I misreading the docs?

Neil Youngman