Re: [exim] TLS verification errors in 4.69?

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] TLS verification errors in 4.69?
Hello,

the exim 4.69 on the client side doesn't matter. If I use ``openssl
s_client'' ... for connecting the server, the same happens, same TLS
relevant config parts, but different behaviour.

Working server:
    gnutls_require_kx = 
    gnutls_require_mac = 
    gnutls_require_protocols = 
    log_selector = +tls_peerdn -retry_defer +sender_on_delivery +pid +incoming_interface
    tls_advertise_hosts = *
    tls_certificate = /etc/ssl/certs/ssl.schlittermann.de.crt
    tls_crl = 
    tls_dhparam = 
    tls_on_connect_ports = 465
    tls_privatekey = /etc/ssl/private/ssl.schlittermann.de.key
    no_tls_remember_esmtp
    tls_require_ciphers = 
    tls_try_verify_hosts = *
    tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt
    tls_verify_hosts = 


Failing server:
    gnutls_require_kx = 
    gnutls_require_mac = 
    gnutls_require_protocols = 
    tls_advertise_hosts = *
    tls_certificate = /etc/ssl/certs/ssl.schlittermann.de.crt
    tls_crl = 
    tls_dhparam = 
    tls_on_connect_ports = 465
    tls_privatekey = /etc/ssl/private/ssl.schlittermann.de.key
    no_tls_remember_esmtp
    tls_require_ciphers = 
    tls_try_verify_hosts = 
¹   tls_verify_certificates = /etc/ssl/certs/schlittermann-ca.pem
²   tls_verify_hosts = *


1)  this file contains exactly and only the CA signed the cert on the
    client side


2)  this should be "tls_try_verify_hosts" to be able to do some more
    ACL checking, it's changed here to tls_verify_hosts to have a faster
    response.


--
Heiko