GnuTLS early versions (pre 3.0.0 ?) fail to send a reasonable
client-cert request when tls_verify_certificates is an empty file.
Since the test is for missing *server* certs (tls_certificate)
avoid this by pointing to a real (if non-verifying) cert in
tls_verify_certificates.
-rc = peer_status(state);
-if (rc != OK)
+if ((rc = peer_status(state)) != OK)
{
verify = GNUTLS_CERT_INVALID;
{
verify = GNUTLS_CERT_INVALID;
- *error = "not supplied";
+ *error = "certificate not supplied";
rc = gnutls_certificate_verify_peers2(state->session, &verify);
rc = gnutls_certificate_verify_peers2(state->session, &verify);
/* Handle the result of verification. INVALID seems to be set as well
as REVOKED, but leave the test for both. */
/* Handle the result of verification. INVALID seems to be set as well
as REVOKED, but leave the test for both. */
-if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
+if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
{
state->peer_cert_verified = FALSE;
{
state->peer_cert_verified = FALSE;
- if (*error == NULL)
- *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid";
+ if (!*error)
+ *error = verify & GNUTLS_CERT_REVOKED
+ ? "certificate revoked" : "certificate invalid";
DEBUG(D_tls)
debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
DEBUG(D_tls)
debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
tls_privatekey = CERT
tls_verify_hosts = HOSTIPV4
tls_privatekey = CERT
tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = TVC
+#tls_verify_certificates = TVC
+tls_verify_certificates = CERT
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file.
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file.
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
+Succeeded in starting TLS
End of script
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
Certificate file = aux-fixed/cert2
End of script
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
Certificate file = aux-fixed/cert2