Re: [exim] Exim + (GNU)TLS + Outlook + tls_try_verify_hosts

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Exim + (GNU)TLS + Outlook + tls_try_verify_hosts
Hello,

Heiko Schlittermann <hs@???> (Fr 19 Jun 2009 13:59:20 CEST):
> Hello,
>
> after resolving the issues with certs not verified by GNUTLS (because of
> the wrong signature algorithm) we experience some other problem:
>
> Whenever requesting a client certificate (tls_try_verify_hosts), the
> client (Outlook Express) does not successfully connect. Without
> requesting a certificate, TLS/SSL works.



I now recompiled exim using OpenSSL: I think, GNUTLS is not to blame,
since with OpenSSL the communication breaks too, as soon as I enable
tls_try_verify_hosts!

    14434 listening on all interfaces (IPv4) port 25
    14434 listening on all interfaces (IPv4) port 465
    14434 listening on all interfaces (IPv4) port 587
    14434 pid written to /var/run/exim4/exim.pid
    14434 LOG: MAIN
    14434   exim 4.69 daemon started: pid=14434, no queue runs, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)
    14434 daemon running with uid=103 gid=105 euid=103 egid=105
    14434 Listening...
    14434 Connection request from 84.179.100.11 port 56331
    14450 Process 14450 is handling incoming connection from [84.179.100.11]
    14434 1 SMTP accept process running
    14434 Listening...
        14450 Process 14450 is ready for new message
        14450 tls_certificate file /etc/ssl/certs/ssl.schlittermann.de.crt
        14450 tls_privatekey file /etc/ssl/private/ssl.schlittermann.de.key
        14450 Initialized TLS
        14450 Calling SSL_accept
        14450 SSL info: before/accept initialization
        14450 SSL info: before/accept initialization
        14450 SSL info: SSLv3 read client hello A
        14450 SSL info: SSLv3 write server hello A
        14450 SSL info: SSLv3 write certificate A
        14450 SSL info: SSLv3 write certificate request A
        14450 SSL info: SSLv3 flush data
        14450 SSL info: SSLv3 read client certificate A
        14450 LOG: MAIN
        14450   TLS error on connection from p54b3640b.dip.t-dialin.net (hopperxp) [84.179.100.11] (SSL_accept): error:00000000:lib(0):func(0):reason(0)
        14450 TLS failed to start
        14450 LOG: smtp_connection MAIN
        14450   SMTP connection from p54b3640b.dip.t-dialin.net (hopperxp) [84.179.100.11] I=[84.19.194.3]:587 closed by EOF
    14434 child 14450 ended: status=0x0
    14434 0 SMTP accept processes now running


* Now the client seems to start a new session, proably w/o TLS, but this fails
* on some sync issue:

    14434 Listening...
    14434 Connection request from 84.179.100.11 port 56332
    14434 1 SMTP accept process running
    14434 Listening...
        14451 Process 14451 is handling incoming connection from [84.179.100.11]
        14451 LOG: MAIN REJECT
        14451   SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=p54b3640b.dip.t-dialin.net [84.179.100.11] I=[84.19.194.3]:587 input="EHLO hopperxp\r\n"
    14434 child 14451 ended: status=0x0
    14434 0 SMTP accept processes now running