Bug#544472: server certificate verification fails when connecting as an SMTP client?

Tue, 01 Sep 2009 10:57:44 -0700 

>>>>> Andreas Metzler <ametz...@downhill.at.eu.org> writes:
>>>>> Ivan Shmakov <i...@main.uusia.org> wrote:

[...]

 >> It seems that the certificate verification fails when Exim connects
 >> to the peer, while should the peer in question connect to Exim, it
 >> succeeds.

[...]

 >> Note the CV=yes vs. CV=no discrepancy.

 > Hello, Afaict you have provided exim with a list of trusted
 > certificates to check incoming connections (main configuration option
 > tls_verify_certificates) against but you have not toggled the
 > corresponding option for outgoing connections (the
 > tls_verify_certificates private option of the smtp transport).

        I've known that I've made some silly mistake!  I've fixed that
        and it works as expected now, thanks!

        However, the documentation is somewhat unclear on that matter:

--cut: (exim4) Configuring an Exim client to use TLS --
   The `tls_certificate' and `tls_privatekey' options of the `smtp'
transport provide the client with a certificate, which is passed to the
server if it requests it. If the server is Exim, it will request a
certificate only if `tls_verify_hosts' or `tls_try_verify_hosts'
matches the client. *Note*: These options must be set in the `smtp'
transport for Exim to use TLS when it is operating as a client. Exim
does not assume that a server certificate (set by the global options of
the same name) should also be used when operating as a client.

   If `tls_verify_certificates' is set, it must name a file or, for
OpenSSL only (not GnuTLS), a directory, that contains a collection of
expected server certificates. The client verifies the server's
certificate against this collection, taking into account any revoked
certificates that are in the list defined by `tls_crl'.
--cut: (exim4) Configuring an Exim client to use TLS --

        Since it's noted explicitly in the fragment above that the
        `tls_certificate' and `tls_privatekey' options are to be set for
        the transport, the lack of such a notice for
        `tls_verify_certificates' made me assume that it's the global
        option that's mentioned here.

        Could this bug thus be reassigned to the documentation (or the
        source?) with the severity downgraded (and probably retitled)?

-- 
FSF associate member #7257



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to