Re: [exim-dev] pgsql lookup TLS access broken in 4.82 RC2 ?

Top Page
Delete this message
Reply to this message
Author: Axel Rau
Date:  
To: exim-dev
Subject: Re: [exim-dev] pgsql lookup TLS access broken in 4.82 RC2 ?

Am 08.10.2013 um 03:56 schrieb Viktor Dukhovni <viktor1dane@???>:

> On Tue, Oct 08, 2013 at 01:35:48AM +0200, Axel Rau wrote:
>
>>> This is a mistake. You probably meant:
>>>
>>>     kEDH+HIGH:!eNULL:!aNULL:!MD5:@STRENGTH

>>
>> Thanks for pointing that out.
>> But has this something to do that exam 4.82 fails while 4.80 does not fail?
>> I think, not.
>
> No, not as such. However, Phil has already explained that problem,
> only you were not listening. OpenSSL peer verification settings
> including the set of trusted CAs, ... are per SSL context.
>
> Exim sets the SSL context for TLS in the SMTP engine, so Exim when
> doing SMTP uses your configured trusted CAs.
>
> However, exim *does not* create the SSL context used in the PgSQL
> library when Postgres is making SSL connections. That's Postgres
> code, not Exim code. You need to tell Postgres to trust the CA,
> Exim does not know whether Postgres is using TLS or not.

Or tell PostgreSQL to not require a trusted CA, by setting sslmode
to 'prefer' or below (as I do in my closed environment).
>
> To do that, make appropriate Postgres client configuration settings,
> outside Exim (Exim settings of environment variables might influence
> Postgress unbeknownst to Exim).

The only settings, I'm aware of is the CA cert in ~/.postgresql,
which tells PostgreSQL the trusted certificate authorities.
This worked for me for years and currently works with exim boxes running exim
up to 4.82 RC2.
Only this box, doing pgsql stuff via TPDA has the problem.

Axel
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius