[exim] TLS verification errors in 4.69?

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: Exim-users
Subject: [exim] TLS verification errors in 4.69?
Hello,

I've some exim4 client (4.69) and two servers (4.68 and 4.69).
The client uses a certificate signed by my own CA.
Regarding the TLS setup both servers are configured the same way (I
think!).

tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt 
tls_try_verify_hosts    = *


I double checked this tls_verify_certificates contains the above used
CA. I double checked this using openssl ``openssl verify -CAfile
/etc/ssl/certs/ca-certificates.crt /tmp/client-cert.pem''


later in some ACL:

    accept  log_write = xxx: $tls_peerdn : $tls_certificate_verified
               verify = certificate


... it complains about a not verified certificate (the above
$tls_certificate_verified is 0).

The same server setup works in 4.68. (It's not identically the same, but
I *think*, the relevant parts are the same.)


Does anybody has some hint, where I'm wrong? The servers output of "-d-all+tls"
is here:

12085 exim 4.69 daemon started: pid=12085, no queue runs, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)
12085 daemon running with uid=103 gid=105 euid=103 egid=105
12085 Listening...
12085 Connection request from 84.179.101.120 port 34427
12085 1 SMTP accept process running
12085 Listening...
12086 Process 12086 is handling incoming connection from [84.179.101.120]
12086 Process 12086 is ready for new message
12086 initializing GnuTLS as a server
12086 read D-H parameters from file
12086 initialized D-H parameters
12086 certificate file = /etc/ssl/certs/ssl.schlittermann.de.crt
12086 key file = /etc/ssl/private/ssl.schlittermann.de.key
12086 verify certificates = /etc/ssl/certs/ca-certificates.crt size=225352
12086 initialized certificate stuff
12086 initialized GnuTLS session
12086 gnutls_handshake was successful
12086 TLS certificate verify failure (invalid) overridden (host in tls_try_verify_hosts): peerdn=C=DE,ST=Saxony,L=Dresden,O=schlittermann -- internet & unix support,CN=muli.schlittermann.de
12086 cipher: TLS1.0:RSA_AES_256_CBC_SHA1:32
12086 TLS active
12086 Calling gnutls_record_recv(1bfa560, 1c06db0, 4096)
12086 tls_do_write(1962268, 144)
12086 gnutls_record_send(SSL, 1962268, 144)
12086 outbytes=144
12086 Calling gnutls_record_recv(1bfa560, 1c06db0, 4096)
12086 LOG: MAIN
12086 xxx: C=DE,ST=Saxony,L=Dresden,O=schlittermann -- internet & unix support,CN=muli.schlittermann.de : 0
12086 tls_do_write(1959410, 37)
12086 gnutls_record_send(SSL, 1959410, 37)
...


Thanks in advance.


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -