Re: [exim-dev] pgsql lookup TLS access broken in 4.82 RC2 ?

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] pgsql lookup TLS access broken in 4.82 RC2 ?
On Tue, Oct 08, 2013 at 01:35:48AM +0200, Axel Rau wrote:

> > This is a mistake. You probably meant:
> >
> >     kEDH+HIGH:!eNULL:!aNULL:!MD5:@STRENGTH

>
> Thanks for pointing that out.
> But has this something to do that exam 4.82 fails while 4.80 does not fail?
> I think, not.


No, not as such. However, Phil has already explained that problem,
only you were not listening. OpenSSL peer verification settings
including the set of trusted CAs, ... are per SSL context.

Exim sets the SSL context for TLS in the SMTP engine, so Exim when
doing SMTP uses your configured trusted CAs.

However, exim *does not* create the SSL context used in the PgSQL
library when Postgres is making SSL connections. That's Postgres
code, not Exim code. You need to tell Postgres to trust the CA,
Exim does not know whether Postgres is using TLS or not.

To do that, make appropriate Postgres client configuration settings,
outside Exim (Exim settings of environment variables might influence
Postgress unbeknownst to Exim).

-- 
    Viktor.