Re: [exim] expansion error in OAuth2 client authenticator

Top Page
Delete this message
Reply to this message
Author: Victor Ustugov
Date:  
To: Jeremy Harris via Exim-users
Subject: Re: [exim] expansion error in OAuth2 client authenticator
Jeremy Harris via Exim-users wrote on 14.03.2023 00:00:
> On 12/03/2023 21:51, Victor Ustugov via Exim-users wrote:
>> Rather, the lack of SNI support does not prevent me from getting
>> response to access token refresh request. But Exim puts certificate
>> verification error message into the logs.
>
> Having found a way of doing basic functionality testing
> of it, pushed 6fdf76d0eae4.


Great.


FreeBSD 13.1, exim 4.96 without patch:

# exim -be '${readsocket{inet:oauth2.googleapis.com:443}{GET /
HTTP/1.1\r\nHost: oauth2.googleapis.com\r\nConnection:
close\r\n\r\n}{20s:tls=yes}{\n}{socket failure}}' 2>&1 | perl -n -e
'print $_ if (1.../^\r?\n$/)'
2023-03-14 01:33:58 [14476] [NULL] SSL verify error: depth=0 error=self
signed certificate cert=/OU=No SNI provided; please fix your
client./CN=invalid2.invalid
2023-03-14 01:33:58 [14476] [NULL] SSL verify error: certificate name
mismatch: DN="/OU=No SNI provided; please fix your
client./CN=invalid2.invalid" H="oauth2.googleapis.com"
HTTP/1.1 404 Not Found
Date: Mon, 13 Mar 2023 23:33:58 GMT
Content-Type: text/html; charset=UTF-8
Server: ESF
Content-Length: 1561
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Connection: close


FreeBSD 13.1, exim 4.96 with patch:

# exim -be '${readsocket{inet:oauth2.googleapis.com:443}{GET /
HTTP/1.1\r\nHost: oauth2.googleapis.com\r\nConnection:
close\r\n\r\n}{20s:tls=yes:sni=oauth2.googleapis.com}{\n}{socket
failure}}' 2>&1 | perl -n -e 'print $_ if (1.../^\r?\n$/)'
HTTP/1.1 404 Not Found
Date: Mon, 13 Mar 2023 23:34:06 GMT
Content-Type: text/html; charset=UTF-8
Server: ESF
Content-Length: 1561
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Connection: close


Thanks a lot.


Apparently there is no need to check the patch for CentOS and Ubuntu.


--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc