[exim-dev] [Bug 1557] New: 4.85rc1/2 delivers unencrypted if…

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1557] New: 4.85rc1/2 delivers unencrypted if hosts_try_dane used ...
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1557
           Summary: 4.85rc1/2 delivers unencrypted if hosts_try_dane used
                    ...
           Product: Exim
           Version: 4.84
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
        AssignedTo: pdp@???
        ReportedBy: wbreyha@???
                CC: exim-dev@???



I used the following transport config up to 4.84:

remote_smtp:
  driver            = smtp
  ...
  tls_certificate   = /etc/pki/....pem
  tls_privatekey    = /etc/pki/....key
  tls_verify_certificates = /etc/pki/tls/cert.pem
  tls_try_verify_hosts = *
  ...


and Exim delivered encrypted to hosts with self-signed certs which fail
verification.

I tested 4.85rc1 and rc2 DANE support (with OpenSSL) and changed to

# tls_try_verify_hosts = *
  dnssec_request_domains = *
  hosts_try_dane    = *


Exim gets correct DANE results reporting CV=dane if available, but if
delivering to hosts *without* DANE DNS RRs, but with self-signed certs (or
verification fails due to other reasons) it falls back to unencrypted delivery
as if tls_verify_hosts was used.

Log shows eg:
2014-12-03 09:42:13 1Xw5Vl-0008IC-J4 H=xxxxxxx.xxxxxx.xxx [xxx.xxx.xx.xx] TLS
error on connection (SSL_connect): error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-12-03 09:42:13 1Xw5Vl-0008IC-J4 TLS session failure: delivering
unencrypted to xxxxxxx.xxxxxx.xxx [xxx.xxx.xx.xx] (not in hosts_require_tls)


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email