Jay Lee writes:
After dealing with OpenSSL TLS issues for awhile now I decided to give GnuTLS a go since it supposedly is more flexible with it's negotiations. I found that it supported more Internet SMTP encrypted sessions out of the box however, I ran into issues with TLS_TRUSTCERTS. With OpenSSL I had specified: TLS_TRUSTCERTS=/etc/pki/tls/certs/gd_intermediate_bundle.crt Since my IMAP SSL Certificate was a secondary from GoDaddy. This worked fine for OpenSSL but in the switch to GnuTLS, clients could no longer see the "chain". I tried a number of different ways and methods but it seems to me right now that GnuTLS ignores the TLS_TRUSTCERTS setting. Can anybody offer any insight into this?
That's not how an intermediate cert should be used. If this worked with OpenSSL, it was only by coincidence. The correct way to specify an intermediate cert is to append it to CERTFILE. Your CERTFILE should contain: your PEM-formatted private key, your PEM-formatted certificate, and the PEM-formatted intermediate cert, all in one file.
I thought I had the code to support intermediate certs in the GnuTLS flavor, but it looks like I do not. Can you try applying the following patch and seeing if it works (with the intermediate cert set up as per above, in TLS_CERTFILE). It's going to take me a while to set up a test scenario to test this myself, you can probably test this faster:
--- tcpd/libcouriergnutls.c 7 Jul 2008 03:25:41 -0000 1.8
+++ tcpd/libcouriergnutls.c 8 Aug 2008 22:53:11 -0000
@@ -1151,6 +1151,7 @@
{
int rc;
gnutls_datum filebuf;
+ unsigned int cert_cnt;
st->ncerts=0;
st->deinit_all=0;
@@ -1162,16 +1163,39 @@
switch (st->type) {
case GNUTLS_CRT_X509:
+ cert_cnt=0;
+
if ((rc=gnutls_x509_crt_init(&ssl->x509_crt)) < 0 ||
(rc=gnutls_x509_privkey_init(&ssl->x509_key)) < 0 ||
- (rc=gnutls_x509_crt_import(ssl->x509_crt, &filebuf,
- GNUTLS_X509_FMT_PEM)) < 0 ||
(rc=gnutls_x509_privkey_import(ssl->x509_key, &filebuf,
GNUTLS_X509_FMT_PEM)) < 0)
break;
- st->cert.x509=&ssl->x509_crt;
- st->ncerts=1;
+
+ rc=gnutls_x509_crt_list_import(NULL, &cert_cnt,
+ &filebuf,
+ GNUTLS_X509_FMT_PEM,
+
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
+
+ if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ break;
+
+ st->ncerts=cert_cnt+1;
+ st->cert.x509=gnutls_malloc(st->ncerts*sizeof(*st->cert.x509));
+
+ rc=gnutls_x509_crt_list_import(st->cert.x509, &st->ncerts,
+ &filebuf,
+ GNUTLS_X509_FMT_PEM, 0);
+
+ if (rc)
+ {
+ gnutls_free(st->cert.x509);
+ break;
+ }
+
st->key.x509=ssl->x509_key;
+ ssl->x509_key=0;
+ st->deinit_all=1;
+
break;
case GNUTLS_CRT_OPENPGP:
if ((rc=gnutls_openpgp_key_init(&ssl->pgp_crt)) < 0 ||
As a side question, could I theoretically take the couriertls binary from an OpenSSL compile and the couriertls binary from a GnuTLS binary and use them both in the same Courier install? I'm thinking of setting it up like: /usr/lib/courier/bin/couriertls-gnutls /usr/lib/courier/bin/couriertls-openssl /usr/lib/courier/bin/couriertls -> /usr/lib/courier/bin/couriertls-openssl then by default, services would use SSL but in /etc/courier/esmtpd I would set: COURIERTLS=/usr/lib/courier/bin/couriertls-gnutls
This'll work provided that your corresponding -ssl configuration file is grokkable by both -openssl and -gnutls flavors. Some configuration settings may differ between between OpenSSL and GnuTLS flavors. You may need to fiddle the startup scripts to also read the appropriate config file.
pgpzRtSOqiGIJ.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
