[exim-dev] [Bug 674] exim can't verify sha256WithRSAEncrypti…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: exim-dev
Anciens-sujets: [exim-dev] [Bug 674] New: exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL
Nouveaux-sujets: [exim-dev] Phil's bug triage
Sujet: [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674




--- Comment #5 from Phil Pennock <exim-dev@???> 2008-08-13 08:10:35 ---
FWIW, this does not fail for me until I use tls_verify_hosts instead of
tls_try_verify_hosts. For obvious reasons.

16291 LOG: MAIN
16291 SSL verify error: depth=1 error=certificate signature failure
cert=/C=DE/ST=Hessen/L=Frankfurt/O=GUUG FFG 2008/OU=Example CA/CN=Martin
Kaiser/emailAddress=ffg2008@???
[...]
16291 LOG: MAIN
16291 TLS error on connection from (openssl.client.net) [127.0.0.1]:50863
(SSL_accept): error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
message digest algorithm
16291 TLS failed to start
[...]
16291 SMTP>> 554 Security failure

Looking through the source for s_server.c in OpenSSL 0.9.8h I see it calls
OpenSSL_add_all_algorithms() which adds all ciphers and all digests; that
includes password-based ciphers, according to the man-page but I've no idea if
that's likely to cause problems in a server expecting to work from a
certificate.

I guess the real question is whether or not it's bad to load all digests
(and/or ciphers) when the Exim option tls_require_ciphers is set and whether or
not we need a new tls_require_digests option (or if the ciphers option digest
field stuff is sufficient for cert verification).

If tls_require_ciphers is a saving throw, then what probably needs to happen is
that the tls_require_ciphers option should have a reasonable default set,
instead of being unset by default, and then we add a call to
OpenSSL_add_all_algorithms().

Does anyone here have any expertise in this? If not, there are some people I
can ask for help elsewhere.

Anyone have any thoughts on what a reasonable default tls_require_ciphers would
then be? I myself use:
tls_require_ciphers = ALL:!SSLv2:!LOW:!EXPORT:!ADH:!aNULL:!NULL:!DES:@STRENGTH
but some of that is belt&braces and perhaps disabling EXPORT ciphers isn't an
appropriate default.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email