[exim-dev] [Bug 674] New: exim can't verify sha256WithRSAEnc…

Pàgina inicial
Delete this message
Reply to this message
Autor: Martin Kaiser
Data:  
A: exim-dev
Assumptes nous: [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL, [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL
Assumpte: [exim-dev] [Bug 674] New: exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674
           Summary: exim can't verify sha256WithRSAEncryption signature in
                    X.509 certificates when linked against OpenSSL
           Product: Exim
           Version: 4.68
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
        AssignedTo: nigel@???
        ReportedBy: eximBugzilla@???
                CC: exim-dev@???



Created an attachment (id=236)
--> (http://bugs.exim.org/attachment.cgi?id=236)
certs, private key for client cert

exim 4.68, linked against OpenSSL
(also tried older versions, both on Linux and FreeBSD)

configured to verify client certificates


tls_advertise_hosts = *
tls_certificate = <any server certificate>
tls_privatekey = <any private key file>

tls_try_verify_hosts = *
tls_verify_certificates = rootCaCert.pem

Root CA cert has sha256WithRSAEncryption.
The client certificate is signed by the root cert and also has a
sha256WithRSAEncryption.

Verification will fail because the signature can't be checked.

The problem is in src/tls-openssl.c, function tls_init()
exim calls OpenSSL_add_ssl_algorithms();
This function initializes sha1 but not sha256.

A simple solution/workaround is


--- tls-openssl.c.orig  2008-02-21 22:37:46.000000000 +0100
+++ tls-openssl.c       2008-02-21 22:38:12.000000000 +0100
@@ -295,6 +295,7 @@
 {
 SSL_load_error_strings();          /* basic set up */
 OpenSSL_add_ssl_algorithms();
+OpenSSL_add_all_digests();


/* Create a context */

This solved the problem for me.

Of course, you could argue this is actually an OpenSSL issue...

I just had a look, the same issue exists in 4.69.

I attach a root cert and a client cert+key to help you track this down.

Please get back to me if you need more information.

Best regards,

Martin


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email