------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1557
Summary: 4.85rc1/2 delivers unencrypted if hosts_try_dane used
...
Product: Exim
Version: 4.84
Platform: x86
OS/Version: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
AssignedTo: pdp@???
ReportedBy: wbreyha@???
CC: exim-dev@???
I used the following transport config up to 4.84:
remote_smtp:
driver = smtp
...
tls_certificate = /etc/pki/....pem
tls_privatekey = /etc/pki/....key
tls_verify_certificates = /etc/pki/tls/cert.pem
tls_try_verify_hosts = *
...
and Exim delivered encrypted to hosts with self-signed certs which fail
verification.
I tested 4.85rc1 and rc2 DANE support (with OpenSSL) and changed to
# tls_try_verify_hosts = *
dnssec_request_domains = *
hosts_try_dane = *
Exim gets correct DANE results reporting CV=dane if available, but if
delivering to hosts *without* DANE DNS RRs, but with self-signed certs (or
verification fails due to other reasons) it falls back to unencrypted delivery
as if tls_verify_hosts was used.
Log shows eg:
2014-12-03 09:42:13 1Xw5Vl-0008IC-J4 H=xxxxxxx.xxxxxx.xxx [xxx.xxx.xx.xx] TLS
error on connection (SSL_connect): error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-12-03 09:42:13 1Xw5Vl-0008IC-J4 TLS session failure: delivering
unencrypted to xxxxxxx.xxxxxx.xxx [xxx.xxx.xx.xx] (not in hosts_require_tls)
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
