Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification …

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMViktor Dukhovni at <-
MMAndreas Metzler at ->
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
Subject: Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification broken
On 2021-07-18 Andreas Metzler <eximusers@???> wrote:
> Hello,

> there seems to be some breakage in 4.95 RC0 with outgoing TLS, it fails
> to verify the peer certificate:

> --------------------
> initialising GnuTLS as a client on fd 7
> GnuTLS global init required
> initialising GnuTLS client session
> Expanding various TLS configuration options for session credentials
> TLS: basic cred init, client
> TLS: no client certificate specified; okay
> TLS: tls_verify_certificates not set or empty, ignoring
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
That seems to be the required hint.

Given this transport

smarthost_smtp:
driver = smtp
multi_domain
hosts_require_tls = *
tls_verify_hosts = *

we get different output for
»exim -bP transport smarthost_smtp | grep tls_verify_certificates«

with 4.92.2
tls_verify_certificates = system
and 4.95 rc0
tls_verify_certificates =

And indeed explicitely setting "tls_verify_certificates = system" on the
transport lets cert verification succeed.

(This also applies to the main configuration option
tls_verify_certificates, not just to the transport option. - It is also
empty by default.)

cu Andreas


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification brokenRe: [exim] Strange problem with the communication to ClamAV->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)