Re: [exim] TLS verification errors in 4.69?

[Heiko Schlittermann]

Hello,

the exim 4.69 on the client side doesn't matter. If I use ``openssl
s_client'' ... for connecting the server, the same happens, same TLS
relevant config parts, but different behaviour.

Working server:
    gnutls_require_kx = 
    gnutls_require_mac = 
    gnutls_require_protocols = 
    log_selector = +tls_peerdn -retry_defer +sender_on_delivery +pid 
+incoming_interface
    tls_advertise_hosts = *
    tls_certificate = /etc/ssl/certs/ssl.schlittermann.de.crt
    tls_crl = 
    tls_dhparam = 
    tls_on_connect_ports = 465
    tls_privatekey = /etc/ssl/private/ssl.schlittermann.de.key
    no_tls_remember_esmtp
    tls_require_ciphers = 
    tls_try_verify_hosts = *
    tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt
    tls_verify_hosts = 

Failing server:
    gnutls_require_kx = 
    gnutls_require_mac = 
    gnutls_require_protocols = 
    tls_advertise_hosts = *
    tls_certificate = /etc/ssl/certs/ssl.schlittermann.de.crt
    tls_crl = 
    tls_dhparam = 
    tls_on_connect_ports = 465
    tls_privatekey = /etc/ssl/private/ssl.schlittermann.de.key
    no_tls_remember_esmtp
    tls_require_ciphers = 
    tls_try_verify_hosts = 
¹   tls_verify_certificates = /etc/ssl/certs/schlittermann-ca.pem
²   tls_verify_hosts = *

1)  this file contains exactly and only the CA signed the cert on the
    client side

2)  this should be "tls_try_verify_hosts" to be able to do some more
    ACL checking, it's changed here to tls_verify_hosts to have a faster
    response.

-- 
Heiko

signature.asc
Description: Digital signature

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/