[exim-dev] [Bug 1489] ${certextract} parse error (4.83 RC1)

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Mike Cardwell
Ημερομηνία:  
Προς: exim-dev
Αντικείμενο: [exim-dev] [Bug 1489] ${certextract} parse error (4.83 RC1)
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1489




--- Comment #7 from Mike Cardwell <exim-users@???> 2014-06-05 14:26:53 ---
(In reply to comment #5)

> The "sig_algorithm" result is that given by the OpenSSL library for the calls
>
> OBJ_nid2ln(X509_get_signature_type((X509 *)cert))
>
> not a result of a parse error by the exim code. It might be worthwhile asking
> on the OpenSSL mailing list when this result string can be returned.


A quick google found somebody else who is seeing this and how they fixed it:

https://stackoverflow.com/questions/19394151/how-to-get-the-cipher-signature-after-ssl-handshake

That might be a starting point.

> The bunch of crap returned for the "signature" result comes from the call
>
>   X509_print_ex(bp, (X509 *)cert, 0,
>    X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL |
>    X509_FLAG_NO_SIGNAME | X509_FLAG_NO_ISSUER | X509_FLAG_NO_VALIDITY |
>    X509_FLAG_NO_SUBJECT | X509_FLAG_NO_PUBKEY | X509_FLAG_NO_EXTENSIONS |
>    /* X509_FLAG_NO_SIGDUMP is the missing one */
>    X509_FLAG_NO_AUX)

>
> I'm sorry it's not what you expected; any suggestion for improvement will be
> welcome.


I expected it to return the SHA256 fingerprint of the client cert. However, I
realise now what I was looking for was actually:

${sha256:$tls_in_peercert}


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email