Re: [exim] TLS verify

Góra strony
Delete this message
Reply to this message
Autor: Mike Cardwell
Data:  
Dla: exim-users
Temat: Re: [exim] TLS verify
* on the Mon, Aug 03, 2015 at 02:56:11PM +0000, Viktor Dukhovni wrote:

>> 2015-08-01 16:38:58 TLS error on connection from flan.grepular.com
>> [198.211.125.252]:38235 (SSL_accept): error:14094418:SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: 1 Time(s)
>
> Consistent with the OPs report, his Exim SMTP client is terminating
> the SSL handshake when the peer's certificate fails to verify (in
> this case sending a fatal 'unknown ca' alert).
>
> So something in the OPs configuration seems to be making TLS
> authentication mandatory for various peers.


Well, this is my smtp transport:

remote_smtp:
    driver                  = smtp
    tls_verify_certificates = /etc/ssl/certs/
    tls_try_verify_hosts    = *
    tls_verify_hosts        = snake.grepular.com : flan.grepular.com
    hosts_require_tls       = snake.grepular.com : flan.grepular.com


Which to me looks like it shouldn't be causing this problem. I have
a bunch of other TLS config, but it's in the global scope rather
than in a transport, so *should* only apply to incoming connections:

tls_advertise_hosts     = *
tls_on_connect_ports    = 465
tls_certificate         = /etc/ssl/Exim_$received_port/ssl.crt_inc_chain
tls_privatekey          = /etc/ssl/Exim_$received_port/ssl.key
tls_dhparam             = /etc/exim4/dh-2048.pem
tls_verify_certificates = /etc/ssl/certs/
tls_try_verify_hosts    = *
tls_require_ciphers     = DEFAULT:!EXPORT
openssl_options         = +no_compression


-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4


* Want to hire me? Currently available for full-time and contracts
* https://hireme.grepular.com <- More info here