[exim-dev] [Bug 824] New: clarifiactions on tls_verify_certi…

Top Page
Delete this message
Reply to this message
Author: pierre
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 824] clarifiactions on tls_verify_certificates and opera
Subject: [exim-dev] [Bug 824] New: clarifiactions on tls_verify_certificates and opera
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=824
           Summary: clarifiactions on tls_verify_certificates and opera
           Product: Exim
           Version: 4.69
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Keywords: work:tiny
          Severity: bug
          Priority: medium
         Component: TLS
        AssignedTo: nigel@???
        ReportedBy: pierre@???
                CC: exim-dev@???



so I have an auto signed CA.
I have my server.crt and server.key files, signed by the CA
I use the same for apache2, courier-imap-ssl, mysql and exim4
I have a client.p12 file, signed by the CA, installed on client side on Opera.

access to https works well.
and it works with firefox, konqueror,and safari, and even IE, on gentoo,
ubuntu, and even with XP...
access to imap and mysql rocks.


but what a pain it is to configure exim to do the same...

here is some of exim config :

tls_advertise_hosts = *
tls_certificate = CONFDIR/exim.crt
tls_privatekey = CONFDIR/exim.key
tls_verify_certificates = /etc/ssl/certs
#tls_verify_certificates = CONFDIR/ca-bundle.crt
#tls_verify_certificates = CONFDIR/mellitech.pem
#tls_try_verify_hosts = *
tls_verify_hosts = *

if I'm right , all smtp client are advise to use starttls, and all client have
to show a certificate that gonna be verify by tls_verify_certificates.

that's where the confusion shows up...
a lot of forum/docs pretend tls_verify_certificates has to be a CA, and only a
few talk about concat certifs or event /etc/ssl/certs dir with the r_rehash
trick...

none of them works for me :
1/ a single file with the certificate inside (begins with -----BEGIN
CERTIFICATE----- and ends with -----END CERTIFICATE-----) gives TLS error on
connection from blablabla: certificate verification failed (invalid)

2/ the CA file give the same

and
3/ the /etc/ssl/certs dir gives TLS error on connection from blablabla
(setup_certs): Error while reading file (which probably means I don't have
gnutls support....)




I would love to know why so many forums/docs talk about putting a CA file on
tls_verify_certificates while official doc does not.
And if by any chance somebody know how to fit the certificate in
tls_verify_certificates and validate my opera client connection!


any clue accepted.....

pierre

oh, by the way, I use opera 9.64...


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email