This one time, at band camp, Andreas Metzler said: > On 2009-04-05 Stephen Gran <sg...@debian.org> wrote: > have just tried to reproduce this. Both sides are running lenny. The > client is running basically the vanilla debian config with these > changes: > > The testserver is also running on port 1111 with a self-signed certificate, > it has set tls_try_verify_hosts = * and > tls_verify_certificates = afile/with/just/theclientcert.
I am using it with the ca.crt in that file, as I'm interested in validating more than just a single client cert. > * Server: * > 31998 host in tls_try_verify_hosts? yes (matched "*") > 31998 initialized GnuTLS session > 31998 SMTP>> 220 TLS go ahead > 31998 gnutls_handshake was successful > 31998 TLS certificate verified: peerdn=C=AT,ST=Austria,CN=client.bebt.de > 31998 cipher: TLS1.0:RSA_AES_256_CBC_SHA1:32 > > Which looks fine to me. The server asks for a certificate, the > clients sends it. I am sure to have missed something obvious. ;-) This does not happen if the server cert presented is not signed by the same CA as the client cert. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sg...@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature
