[exim] Exim + (GNU)TLS + Outlook + tls_try_verify_hosts

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: Exim Users List
Subject: [exim] Exim + (GNU)TLS + Outlook + tls_try_verify_hosts
Hello,

after resolving the issues with certs not verified by GNUTLS (because of
the wrong signature algorithm) we experience some other problem:

Whenever requesting a client certificate (tls_try_verify_hosts), the
client (Outlook Express) does not successfully connect. Without
requesting a certificate, TLS/SSL works.

On the server: Exim4 4.69 + GNUTLS 2.6(.4), on the client side some
Outlook (currently OE 6.0, but I think the version is not important
here). The servers options are

tls_advertise_hosts = *
tls_certificate = /etc/ssl/certs/ssl.schlittermann.de.crt
tls_on_connect_ports = 465
tls_privatekey = /etc/ssl/private/ssl.schlittermann.de.key
tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt
tls_try_verify_hosts = *¹
tls_verify_hosts =

¹) I need this, because some (verified) certs are used for
authentication.

Other TLS relevant options are not set.

The client complains with error code 0x800CCC0F (it seems to be quite
generic...)

With older versions of GNUTLS (used on some other server with Exim 4.68
+ GNUTLS 1.3.x) it works. Clients other than outlook connect.

When I switch off the exim and simulate a server using "openssl s_server
...", I can successfully simulate the session, attempting the same with
"gnutls-serv ..." hangs after "sending CERTIFICATE REQUEST" to the
client.

My questions:

    * does anybody else experience this problem? (I found something
      using google, but nothing related to outlook and GNUTLS)?


    * do I really have to link exim agains the OpenSSL libs? (I do not
      like it, because of the maintenance issue)


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -