Bug#591261: exim4: Certificate based verification does not work.
On 2010-08-02 Andreas Metzler ametz...@downhill.at.eu.org wrote: [...] Anyway, the behavior of the two TLS implementation used in exim4 seems to differ when none of the certificates available are listed as acceptable by the server. (In the respective handshake for X-509 certs the server basically says Please show me your cert, the list of acceptable ones is this one.) In this situation exim4's GnuTLS implementation does not send any cert, the OpenSSL code does. [...] Hello, And exactly this seems to be the case here. smtp.cjsm.net does not say which client certs are acceptable: ametz...@argenau:~$ openssl s_client -state -connect smtp.cjsm.net:25 -starttls smtp [...] --- No client certificate CA names sent --- [...] While on the other hand if I configure exim to request client certs signed by cjsm's CA (by pointing MAIN_TLS_VERIFY_CERTIFICATES to a file containing just this cert and setting MAIN_TLS_TRY_VERIFY_HOSTS) I will get this. (No matter whether exim is linked against OpenSSL or GnuTLS.): [...] --- Acceptable client certificate CA names /C=GB/ST=Wiltshire/L=Swindon/O=Cable Wireless plc/OU=CJIT Secure Mail/CN=Criminal Justice IT Root CA (CJSM)/emailaddress=raymond.e...@cwipapps.net --- [...] As I said previously in this szenario GnuTLSed exim won't send client certificates. It would be possible to change this, the GnuTLS interface exists, exim just does not yet use it. cu andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591261: exim4: Certificate based verification does not work.
On 2010-08-02 Jon Westgate j...@fsck.tv wrote: [...] I noticed that the CJSM server was sending back 550 you must send a certificate error responses when I tested. Could you tell us which smtp server you are connecting to? thanks, cu andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591261: exim4: Certificate based verification does not work.
Yes, but sadly its not going to do you much good :( The server in question is smtp.cjsm.net Its locked down by IP as well as cert. I think it is a version of exim running, but its government run so not much chance of doing anything with it. One of the engineers who was assigned to help me says that they have exchange servers connecting to it ok as well as sendmail, oh and not forgetting exim. In fact exim is the first mta that they mention in the docs. http://www.cjsm.cjit.gov.uk/downloads/TechnicalOverviewCJSM.doc This is why I setup a 2nd server. Don't you just hate red tape. Just out of interest do you know which of the extras in exim4-daemon-heavy is responsible for its non-GPL compliance when its linked against openssl? Regards Jon On 03/08/10 18:09, Andreas Metzler wrote: On 2010-08-02 Jon Westgatej...@fsck.tv wrote: [...] I noticed that the CJSM server was sending back 550 you must send a certificate error responses when I tested. Could you tell us which smtp server you are connecting to? thanks, cu andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591261: exim4: Certificate based verification does not work.
On 2010-08-01 Jon Westgate j...@fsck.tv wrote: On 01/08/10 17:35, Andreas Metzler wrote: On 2010-08-01 Jon Westgateo...@fsck.tv wrote: Package: exim4 Version: 4.72-1 Severity: important Tags: upstream I have been asked to setup an exim4 server for use with CJSM. https://www.cjsm.net This requires that a server (acting as a smart host in this case) encrypt and sign all emails headed for CJSM. This is something that according to exim.org, exim should ba capeable of doing. After struggling with this for a number of days I came accross a blog entry on the web saying that exim compiled against openssl seemed to work where as exim compiled against gnutls didn't. I recompiled and hey presto everything works. I'm not campaining for openssl to be the default in exim, just mearly registering the fact that both tls_try_verify_hosts and tls_verify_hosts directives fail with this package. Indeed exim as a client does not send a certificate when asked for one. [...] The point I was trying to make is that exim doesn't send a certificate when asked even if you have the following: remote_smtp: driver = smtp tls_certificate = /etc/exim4/mail.fsck.tv-cert.pem tls_privatekey = /etc/exim4/mail.fsck.tv-key.pem recompile both servers against openssl and it magicly works, but only if both are build against openssl. The point I was trying to make was that exim+GnuTLS generally is able to send server certificates. ;-) Anyway, the behavior of the two TLS implementation used in exim4 seems to differ when none of the certificates available are listed as acceptable by the server. (In the respective handshake for X-509 certs the server basically says Please show me your cert, the list of acceptable ones is this one.) In this situation exim4's GnuTLS implementation does not send any cert, the OpenSSL code does. It seems to be possible to change this by using the callback interface. http://mid.gmane.org/874pmfixt2@mocca.josefsson.org cu andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591261: exim4: Certificate based verification does not work.
Andreas, I just used openssl with pretty much the default settings to generate my cert request, CJSM sent me back a signed x509 cert (pem) which I installed according to the docs at exim.org with maybe a slight modification to the locations, I put them in /etc/exim4/certs. Its got Debian-exim read permissions I noticed that the CJSM server was sending back 550 you must send a certificate error responses when I tested. The only reason I setup a pair of servers was to try to debug things. I found the article http://www.exim-users.org/forums/showthread.php?t=50795 and this prompted me to try openssl. So you are saying that gnutls does not support x509 certs? The certificate in question mostly decodes (censored to protect my client) as: Certificate: Data: Version: 3 (0x2) Serial Number: 276 (0x114) Signature Algorithm: md5WithRSAEncryption Issuer: C=GB, ST=Wiltshire, L=Swindon, O=Cable Wireless plc, OU=CJIT Secure Mail, CN=Criminal Justice IT Root CA (CJSM)/emailaddress=x...@xxx.net Validity Not Before: Jul 28 10:27:55 2010 GMT Not After : Jul 28 10:27:55 2013 GMT Subject: C=GB, ST=London, L=Farringdon (london), O=X Xxxx, OU=IT Section, CN=mail.x.co.uk/emailaddress=xx...@xx.co.uk Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: XX:XX:4F:65:C7:4A:XX:94:XX:XX:B2:XX:F8:27:75:XX:XX:XX:XX:XX X509v3 Authority Key Identifier: keyid:XX:XX:XX:B4:49:XX:CC:XX:34:D7:XX:32:XX:37:96:AE:XX:XX:XX:XX DirName:/C=GB/ST=Wiltshire/L=Swindon/O=X Y plc/OU=CJIT Secure Mail/CN=Criminal Justice IT Root CA (CJSM)/emailaddress=...@y.net serial:00 Signature Algorithm: md5WithRSAEncryption xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx xx:xx:xx:1024 bits of info here :xx:xx:xx Is it something to do with the version numbers??? Regards Jon On 02/08/10 19:12, Andreas Metzler wrote: On 2010-08-01 Jon Westgatej...@fsck.tv wrote: On 01/08/10 17:35, Andreas Metzler wrote: On 2010-08-01 Jon Westgateo...@fsck.tv wrote: Package: exim4 Version: 4.72-1 Severity: important Tags: upstream I have been asked to setup an exim4 server for use with CJSM. https://www.cjsm.net This requires that a server (acting as a smart host in this case) encrypt and sign all emails headed for CJSM. This is something that according to exim.org, exim should ba capeable of doing. After struggling with this for a number of days I came accross a blog entry on the web saying that exim compiled against openssl seemed to work where as exim compiled against gnutls didn't. I recompiled and hey presto everything works. I'm not campaining for openssl to be the default in exim, just mearly registering the fact that both tls_try_verify_hosts and tls_verify_hosts directives fail with this package. Indeed exim as a client does not send a certificate when asked for one. [...] The point I was trying to make is that exim doesn't send a certificate when asked even if you have the following: remote_smtp: driver = smtp tls_certificate = /etc/exim4/mail.fsck.tv-cert.pem tls_privatekey = /etc/exim4/mail.fsck.tv-key.pem recompile both servers against openssl and it magicly works, but only if both are build against openssl. The point I was trying to make was that exim+GnuTLS generally is able to send server certificates. ;-) Anyway, the behavior of the two TLS implementation used in exim4 seems to differ when none of the certificates available are listed as acceptable by the server. (In the respective handshake for X-509 certs the server basically says Please show me your cert, the list of acceptable ones is this one.) In this situation exim4's GnuTLS implementation does not send any cert, the OpenSSL code does. It seems to
Bug#591261: exim4: Certificate based verification does not work.
Package: exim4 Version: 4.72-1 Severity: important Tags: upstream I have been asked to setup an exim4 server for use with CJSM. https://www.cjsm.net This requires that a server (acting as a smart host in this case) encrypt and sign all emails headed for CJSM. This is something that according to exim.org, exim should ba capeable of doing. After struggling with this for a number of days I came accross a blog entry on the web saying that exim compiled against openssl seemed to work where as exim compiled against gnutls didn't. I recompiled and hey presto everything works. I'm not campaining for openssl to be the default in exim, just mearly registering the fact that both tls_try_verify_hosts and tls_verify_hosts directives fail with this package. Indeed exim as a client does not send a certificate when asked for one. I have no idea what is being sent but wireshark shows less charactors with the gnutls than with openssl. I'm sorry I'm not a programmer so its unlikely I'll be submitting any patches. Maybe exim4-daemon-heavy-openssl should be placed in non-free till all the licensing stuff blows over. Regards Jon Westgate (Oryn) -- Package-specific info: Exim version 4.72 #1 built 03-Jun-2010 18:16:45 Copyright (c) University of Cambridge, 1995 - 2007 Berkeley DB: Berkeley DB 4.8.30: (April 9, 2010) Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 GnuTLS compile-time version: 2.8.6 GnuTLS runtime version: 2.8.6 Configuration file is /var/lib/exim4/config.autogenerated # /etc/exim4/update-exim4.conf.conf # # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config' # # Please note that this is _not_ a dpkg-conffile and that automatic changes # to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess # around with multiple versions of the file. # # update-exim4.conf uses this file to determine variable values to generate # exim configuration macros for the configuration file. # # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them. # # This is a Debian specific file dc_eximconfig_configtype='local' dc_other_hostnames='Osiris.fsck.tv' dc_local_interfaces='127.0.0.1 ; ::1' dc_readhost='' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='' dc_mailname_in_oh='true' dc_localdelivery='mail_spool' mailname:Osiris.fsck.tv -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.34.1 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages exim4 depends on: ii debconf [debconf-2.0] 1.5.33 Debian configuration management sy ii exim4-base4.72-1 support files for all Exim MTA (v4 ii exim4-daemon-light4.72-1 lightweight Exim MTA (v4) daemon exim4 recommends no packages. exim4 suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591261: exim4: Certificate based verification does not work.
On 2010-08-01 Jon Westgate o...@fsck.tv wrote: Package: exim4 Version: 4.72-1 Severity: important Tags: upstream I have been asked to setup an exim4 server for use with CJSM. https://www.cjsm.net This requires that a server (acting as a smart host in this case) encrypt and sign all emails headed for CJSM. This is something that according to exim.org, exim should ba capeable of doing. After struggling with this for a number of days I came accross a blog entry on the web saying that exim compiled against openssl seemed to work where as exim compiled against gnutls didn't. I recompiled and hey presto everything works. I'm not campaining for openssl to be the default in exim, just mearly registering the fact that both tls_try_verify_hosts and tls_verify_hosts directives fail with this package. Indeed exim as a client does not send a certificate when asked for one. [...] Hello, the information you provided is sparse. I was to ask for a guess I would think that stumpled upon | 39.2 OpenSSL vs GnuTLS | | The tls_verify_certificates option must contain the name of a file, | not the name of a directory (for OpenSSL it can be either). cu andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591261: exim4: Certificate based verification does not work.
Hi Andreas, I have this as my config. tls_certificate = /etc/exim4/mail.fsck.tv-cert.pem tls_privatekey = /etc/exim4/mail.fsck.tv-key.pem log_selector = +tls_peerdn tls_dhparam = /etc/exim4/dh.key tls_advertise_hosts = * #auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}} auth_advertise_hosts = * tls_try_verify_hosts = * tls_verify_certificates = /etc/exim4/cacerts/cacert.pem _- (yes this is a file and not a directory)_ The point I was trying to make is that exim doesn't send a certificate when asked even if you have the following: remote_smtp: driver = smtp tls_certificate = /etc/exim4/mail.fsck.tv-cert.pem tls_privatekey = /etc/exim4/mail.fsck.tv-key.pem recompile both servers against openssl and it magicly works, but only if both are build against openssl. Regards Jon On 01/08/10 17:35, Andreas Metzler wrote: On 2010-08-01 Jon Westgateo...@fsck.tv wrote: Package: exim4 Version: 4.72-1 Severity: important Tags: upstream I have been asked to setup an exim4 server for use with CJSM. https://www.cjsm.net This requires that a server (acting as a smart host in this case) encrypt and sign all emails headed for CJSM. This is something that according to exim.org, exim should ba capeable of doing. After struggling with this for a number of days I came accross a blog entry on the web saying that exim compiled against openssl seemed to work where as exim compiled against gnutls didn't. I recompiled and hey presto everything works. I'm not campaining for openssl to be the default in exim, just mearly registering the fact that both tls_try_verify_hosts and tls_verify_hosts directives fail with this package. Indeed exim as a client does not send a certificate when asked for one. [...] Hello, the information you provided is sparse. I was to ask for a guess I would think that stumpled upon | 39.2 OpenSSL vs GnuTLS | | The tls_verify_certificates option must contain the name of a file, | not the name of a directory (for OpenSSL it can be either). cu andreas