Hi Viktor,
Looking at this reported issue, trying to set up a testcase in the Exim
testsuite for it...
I've gotten as far as a failure in the OpenSSL-linked version. It dies
apparently disliking a selfsigned cert, specifically:
21:42:14 19586 Calling SSL_connect
21:42:14 19586 SSL info: before SSL initialization
21:42:14 19586 SSL info: before SSL initialization
21:42:14 19586 SSL info: SSLv3/TLS write client hello
21:42:14 19586 SSL info: SSLv3/TLS write client hello
21:42:14 19586 SSL info: SSLv3/TLS read server hello
21:42:14 19586 Dane verify_cert
21:42:14 19586 verify_callback_client_dane: BAD depth 0 /CN=Jeremy
Harris/OU=Test Suite/O=The Exim Maintainers/C=UK
21:42:14 19586 - err 18 'self signed certificate'
21:42:14 19586 SSL info: SSLv3/TLS read server certificate
21:42:14 19586 SSL info: error
21:42:14 19586 Dane lib-cleanup
21:42:14 19586 LOG: MAIN
21:42:14 19586 DANE attempt failed; TLS connection to
dane256tas.test.ex [192.168.0.223]: (SSL_connect): error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
The routine verify_callback_client_dane() looks like:
static int
verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
{
X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
uschar dn[256];
int depth = X509_STORE_CTX_get_error_depth(x509ctx);
X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
dn[sizeof(dn)-1] = '\0';
DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
preverify_ok ? "ok":"BAD", depth, dn);
...
}
I'm assuming I've missed something out from the cert I've put together?
It has
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
BD:A7:5A:CD:CF:97:66:FC:52:5D:20:3D:50:A9:A6:01:09:39:48:81
X509v3 Authority Key Identifier:
keyid:BD:A7:5A:CD:CF:97:66:FC:52:5D:20:3D:50:A9:A6:01:09:39:48:81
X509v3 Subject Alternative Name:
DNS:test.ex
Any ideas?
--
Thanks,
Jeremy
