Bug#591261: exim4: Certificate based verification does not work.

Mon, 02 Aug 2010 13:54:19 -0700 

 Andreas,
I just used openssl with pretty much the default settings to generate my cert request, CJSM sent me back a signed x509 cert (pem) which I installed according to the docs at exim.org with maybe a slight modification to the locations, I put them in /etc/exim4/certs. Its got Debian-exim read permissions 


I noticed that the CJSM server was sending back "550 you must send a 
certificate" error responses when I tested.

The only reason I setup a pair of servers was to try to debug things.

I found the article http://www.exim-users.org/forums/showthread.php?t=50795
and this prompted me to try openssl.

So you are saying that gnutls does not support x509 certs?


The certificate in question mostly decodes (censored to protect my 
client) as:


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 276 (0x114)
        Signature Algorithm: md5WithRSAEncryption

        Issuer: C=GB, ST=Wiltshire, L=Swindon, O=Cable & Wireless plc, 
OU=CJIT Secure Mail, CN=Criminal Justice IT Root CA 
(CJSM)/emailaddress=xxxxxxxxx...@xxxxxxx.net

        Validity
            Not Before: Jul 28 10:27:55 2010 GMT
            Not After : Jul 28 10:27:55 2013 GMT

        Subject: C=GB, ST=London, L=Farringdon (london), O=Xxxxxxxxx 
Xxxxxxxx, OU=IT Section, 
CN=mail.xxxxxxxxx.co.uk/emailaddress=xx...@xxxxxxxxxx.co.uk

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                XX:XX:4F:65:C7:4A:XX:94:XX:XX:B2:XX:F8:27:75:XX:XX:XX:XX:XX
            X509v3 Authority Key Identifier:

keyid:XX:XX:XX:B4:49:XX:CC:XX:34:D7:XX:32:XX:37:96:AE:XX:XX:XX:XX

                DirName:/C=GB/ST=Wiltshire/L=Swindon/O=Xxxxx & 
Yyyyyyyyy plc/OU=CJIT Secure Mail/CN=Criminal Justice IT Root CA 
(CJSM)/emailaddress=yyyy...@yyyyyyyyy.net

                serial:00

    Signature Algorithm: md5WithRSAEncryption
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx
                    xx:xx:xx:1024 bits of info here :xx:xx:xx

Is it something to do with the version numbers???

Regards
Jon


On 02/08/10 19:12, Andreas Metzler wrote:

On 2010-08-01 Jon Westgate<j...@fsck.tv>  wrote:


On 01/08/10 17:35, Andreas Metzler wrote:

On 2010-08-01 Jon Westgate<o...@fsck.tv>   wrote:

Package: exim4
Version: 4.72-1
Severity: important
Tags: upstream
I have been asked to setup an exim4 server for use with CJSM.
https://www.cjsm.net This requires that a server (acting as a smart
host in this case) encrypt and sign all emails headed for CJSM.
This is something that according to exim.org, exim should ba
capeable of doing.  After struggling with this for a number of days
I came accross a blog entry on the web saying that exim compiled
against openssl seemed to work where as exim compiled against gnutls
didn't.  I recompiled and hey presto everything works.  I'm not
campaining for openssl to be the default in exim, just mearly
registering the fact that both tls_try_verify_hosts and
tls_verify_hosts directives fail with this package.  Indeed exim as
a client does not send a certificate when asked for one.

[...]


The point I was trying to make is that exim doesn't send a certificate
when asked
even if you have the following:
remote_smtp:
   driver = smtp
   tls_certificate = /etc/exim4/mail.fsck.tv-cert.pem
   tls_privatekey = /etc/exim4/mail.fsck.tv-key.pem
recompile both servers against openssl and it magicly works, but only if
both are build against openssl.

The point I was trying to make was that exim+GnuTLS generally is able to
send server certificates. ;-)

Anyway, the behavior of the two TLS implementation used in exim4 seems
to differ when none of the certificates available are listed as
acceptable by the server. (In the respective handshake for X-509 certs
the server basically says "Please show me your cert, the list of
acceptable ones is this one.") In this situation exim4's GnuTLS
implementation does not send any cert, the OpenSSL code does.

It seems to be possible to change this by using the callback
interface.
http://mid.gmane.org/874pmfixt2....@mocca.josefsson.org

cu andreas








--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org























					Reply via email to