------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1382
--- Comment #6 from Todd Lyons <tlyons@???> 2013-09-10 02:35:00 ---
On Mon, Sep 9, 2013 at 5:01 PM, alxgomz <alxgomz@???> wrote:
> I have tried both patches but it doesn't fix the issue.
> The debug still show "LDAP_OPT_X_TLS_TRY" regardless of the value of
> ldap_require_cert = allow.
>
> I have also tried the patch from the following page
> https://gist.github.com/mrballcb/6501428, but that didn't help neither.
Can you show the debug output to see what the LDAP_OPT_X_TLS is being
set to with the patch from that gist? Add into the patch, right
before the first ldap_set_option() call:
debug_printf("setting value LDAP_OPT_X_TLS = %d\n", tls_option);
I want to make sure that it's setting the option the way we think it should be.
> I have added a debug line before the ldap_start_tls_s line 534 in order to
> check the options of the ldap connection:
>
> 533 debug_printf("trying to connect using LDAP_OPT_X_TLS_REQUIRE_CERT = %d
> \n", cert_option);
>
> It seems to be set properly (according to ldap.h) from the the config file as I
> get :
>
> 00:31:37 6469 3 set for cert_option
> 00:31:37 6469 binding with user=uid=exim,dc=middle,dc=earth password=eximmta
> 00:31:37 6469 trying to connect using LDAP_OPT_X_TLS_REQUIRE_CERT = 3
Yes that looks good. Now let's look at the initial setting with the
extra debug statement above.
> But as you can see I still get a connection error and checking the network dump
> I see I have the following TLS alert: "Unknown CA", which shouldn't happen with
> ldap_require_cert set to allow.
I don't know if that shouldn't happen. Rather, it should just be
ignored per the setting above.
> I cannot exclude any set up error on my side, but again, I have dovecot happily
> doing ldap TLS against the same LDAP server (so with the same self signed
> certificate) with similar configuration (tls = yes tls_require_cert = allow).
And we're, in theory, trying to align those behaviors.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
