This is an exim client checking a server certificate.
in clear.
-.option tls_try_verify_hosts smtp "host list&!!" unset
+.option tls_try_verify_hosts smtp "host list&!!" *
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
This option gives a list of hosts for which, on encrypted connections,
For back-compatability,
if neither tls_verify_hosts nor tls_try_verify_hosts are set
+(a single-colon empty list counts as being set)
and certificate verification fails the TLS connection is closed.
default to the word "system" to access the system default CA bundle.
For GnuTLS, only version 3.0.20 or later.
+JH/06 Verification of the server certificate for a TLS connection is now tried
+ (but not required) by default.
+
Exim version 4.85
-----------------
in that case, certificate verification fails, which seems to be the correct
behaviour. */
-if ( state->tls_verify_certificates && *state->tls_verify_certificates
-#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
- && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0
-#endif
- )
+if (state->tls_verify_certificates && *state->tls_verify_certificates)
{
if (!expand_check_tlsvar(tls_verify_certificates))
return DEFER;
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+ if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
+ state->exp_tls_verify_certificates = NULL;
+#endif
if (state->tls_crl && *state->tls_crl)
if (!expand_check_tlsvar(tls_crl))
return DEFER;
if ( ( state->exp_tls_verify_certificates
&& !ob->tls_verify_hosts
- && !ob->tls_try_verify_hosts
+ && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
)
|| verify_check_given_host(&ob->tls_verify_hosts, host) == OK
)
set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
the specified host patterns if one of them is defined */
-if ( (!ob->tls_verify_hosts && !ob->tls_try_verify_hosts)
+if ( ( !ob->tls_verify_hosts
+ && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
+ )
|| (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
)
client_verify_optional = FALSE;
/* tls_dh_min_bits */
TRUE, /* tls_tempfail_tryclear */
NULL, /* tls_verify_hosts */
- NULL, /* tls_try_verify_hosts */
+ US"*", /* tls_try_verify_hosts */
US"*" /* tls_verify_cert_hostnames */
#endif
#ifndef DISABLE_DKIM
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
+ tls_try_verify_hosts =
# ----- Retry -----
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
+ tls_try_verify_hosts =
# ----- Retry -----
tls_privatekey = CERT2
tls_verify_certificates = CA2
+ tls_try_verify_hosts =
tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+ tls_try_verify_hosts =
tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
+ tls_try_verify_hosts = :
# ----- Retry -----
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
+ tls_try_verify_hosts =
# ----- Retry -----
tls_privatekey = CERT2
tls_verify_certificates = CA2
+ tls_try_verify_hosts =
tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+ tls_try_verify_hosts =
tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
allow_localhost
hosts = 127.0.0.1
port = PORT_D
+ tls_try_verify_hosts = :
# End
hosts = 127.0.0.1
hosts_nopass_tls = *
port = PORT_D
+ tls_try_verify_hosts = :
# ----- Retry -----
hosts_require_tls = HOSTIPV4
tls_require_ciphers = DES-CBC3-SHA
port = PORT_D
+ tls_try_verify_hosts = :
# ----- Retry -----
hosts = 127.0.0.1 : HOSTIPV4
port = PORT_D
allow_localhost
+ tls_try_verify_hosts = :
t2:
driver = appendfile
allow_localhost
hosts = ${if eq{$local_part}{userx}{127.0.0.1}{HOSTIPV4}}
port = PORT_D
+ tls_try_verify_hosts = :
# End
hosts = HOSTIPV4
port = PORT_D
tls_sni = fred
+ tls_try_verify_hosts = :
send_to_server2:
driver = smtp
allow_localhost
hosts = HOSTIPV4
port = PORT_D
+ tls_try_verify_hosts = :
# ----- Retry -----
port = PORT_D
tls_sni = fred
hosts_require_tls = *
+ tls_try_verify_hosts = :
send_to_server2:
driver = smtp
port = PORT_D
tls_sni = bill
hosts_require_tls = *
+ tls_try_verify_hosts = :
# ----- Retry -----
allow_localhost
hosts = 127.0.0.1
port = PORT_D
+ tls_try_verify_hosts = :
# End
hosts = 127.0.0.1
hosts_try_auth = *
port = PORT_D
+ tls_try_verify_hosts = :
# End
hosts = 127.0.0.1
hosts_try_auth = *
port = PORT_D
+ tls_try_verify_hosts = :
# ----- Retry -----
hosts = 127.0.0.1
port = PORT_D
hosts_avoid_tls = HOSTS_AVOID_TLS
+ tls_try_verify_hosts = :
hosts_require_auth = *
allow_localhost
port = PORT_D
hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}}
hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}}
+ tls_try_verify_hosts = :
# End
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_try_verify_hosts =
tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_try_verify_hosts =
tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
${if eq {$local_part}{good}\
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
+ tls_try_verify_hosts =
tls_verify_cert_hostnames =
event_action = ${acl {logger} {$event_name} {$domain} }
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
tls_verify_cert_hostnames =
+ tls_try_verify_hosts =
event_action = ${acl {logger} {$event_name} {$domain} }
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1]: a TLS session is required, but the server did not offer TLS support
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:DES-CBC3-SHA:168 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
+LOG: MAIN
+ SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+LOG: MAIN
+ SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
SMTP>> EHLO helo.data.changed
SMTP<< 250-myhost.test.ex Hello helo.data.changed [127.0.0.1]
250-SIZE 52428800
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
+LOG: MAIN
+ SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+LOG: MAIN
+ SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
SMTP>> EHLO helo.data.changed
SMTP<< 250-myhost.test.ex Hello helo.data.changed [127.0.0.1]
250-SIZE 52428800
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
+LOG: MAIN
+ SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+LOG: MAIN
+ SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
SMTP<< 220 TLS go ahead
127.0.0.1 in hosts_require_ocsp? no (option unset)
127.0.0.1 in hosts_request_ocsp? yes (matched "*")
-127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*")
+127.0.0.1 in tls_verify_hosts? no (option unset)
+127.0.0.1 in tls_try_verify_hosts? no (end of list)
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
127.0.0.1 in tls_verify_hosts? no (option unset)
-127.0.0.1 in tls_try_verify_hosts? no (option unset)
+127.0.0.1 in tls_try_verify_hosts? yes (matched "*")
+127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*")
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
projects / exim.git / commitdiff