Hello, I'll post my question already sent to exim-user, because I think, the mentioned problem is more related to GNUTLS than to exim.
About the mentioned library version I'm not sure for 100%, but ldd reports libgnutls.so.26. ----- Forwarded message from Heiko Schlittermann <[email protected]> ----- Date: Fri, 19 Jun 2009 13:59:20 +0200 From: Heiko Schlittermann <[email protected]> To: Exim Users List <[email protected]> Sender: [email protected] Subject: [exim] Exim + (GNU)TLS + Outlook + tls_try_verify_hosts Hello, after resolving the issues with certs not verified by GNUTLS (because of the wrong signature algorithm) we experience some other problem: Whenever requesting a client certificate (tls_try_verify_hosts), the client (Outlook Express) does not successfully connect. Without requesting a certificate, TLS/SSL works. On the server: Exim4 4.69 + GNUTLS 2.6(.4), on the client side some Outlook (currently OE 6.0, but I think the version is not important here). The servers options are tls_advertise_hosts = * tls_certificate = /etc/ssl/certs/ssl.schlittermann.de.crt tls_on_connect_ports = 465 tls_privatekey = /etc/ssl/private/ssl.schlittermann.de.key tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt tls_try_verify_hosts = *¹ tls_verify_hosts = ¹) I need this, because some (verified) certs are used for authentication. Other TLS relevant options are not set. The client complains with error code 0x800CCC0F (it seems to be quite generic...) With older versions of GNUTLS (used on some other server with Exim 4.68 + GNUTLS 1.3.x) it works. Clients other than outlook connect. When I switch off the exim and simulate a server using "openssl s_server ...", I can successfully simulate the session, attempting the same with "gnutls-serv ..." hangs after "sending CERTIFICATE REQUEST" to the client. My questions: * does anybody else experience this problem? (I found something using google, but nothing related to outlook and GNUTLS)? * do I really have to link exim agains the OpenSSL libs? (I do not like it, because of the maintenance issue) Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann HS12-RIPE ----------------------------------------- gnupg encrypted messages are welcome - key ID: 48D0359B --------------- gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B - -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ ----- End forwarded message -----
signature.asc
Description: Digital signature
_______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
