Mailing List Archive: exim: users

TLS certificate verification

Index | Next | Previous | View Threaded

jimmy at nccom

Aug 28, 2009, 11:32 AM

Post #1 of 3 (1843 views)
Permalink

TLS certificate verification

I've been using a self-signed certificate for years, but I finally
decided to install a "real" one. I bought it from Go Daddy, just as I
do for our web sites, but I haven't quite gotten it working with the
following settings on exim 4.66:

# SSL/TLS cert and key
log_selector = +tls_cipher +tls_peerdn
tls_certificate = /opt/exim/certs/exim.cert
tls_privatekey = /opt/exim/certs/exim.key
tls_verify_certificates = /opt/exim/certs/godaddy-bundle.cert

# Advertise TLS to anyone
tls_advertise_hosts = *

When I test it from OS X's Mail.app, it tells me:
"this certificate was signed by an unknown authority"

When I first got this message, I realized I needed to install the Go
Daddy cert bundle file (I don't know the official name) and so I did
that and added the above tls_verify_certificates parameter. But I
notice that cert file is not being read, even after a restart:

$ ls -lut
-r--r--r-- 1 exim staff 1749 Aug 28 11:05 exim.cert
-r-------- 1 exim staff 891 Aug 28 11:05 exim.key
-r--r--r-- 1 exim staff 4680 Aug 27 03:06 godaddy-bundle.cert

I've also been getting error messages like this in the logs:

TLS error on connection from nebula.nccom.com [198.51.175.31]
(SSL_accept): error:00000000:lib(0):func(0):reason(0)

Any ideas?

Thanks...

...Jim

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mike at pellatt

Aug 28, 2009, 2:56 PM

Post #2 of 3 (1797 views)
Permalink

Re: TLS certificate verification [In reply to]

I use the same godaddy certificate for apache, exim and stunnel.

I created a .pem with the key, the certificate and the godaddy bundle
all in the one file.

In exim, I point

tls_certificate

and

tls_privatekey

to this file, and leave

tls_verify_certificates

unset.

I can't remember now why I did it this way - probably something to do with it being the only common method that all 3 programs would support. Whatever, it works for me (tm) !!

Hope that helps

Mike Pellatt

Jim Gottlieb wrote:
> I've been using a self-signed certificate for years, but I finally
> decided to install a "real" one. I bought it from Go Daddy, just as I
> do for our web sites, but I haven't quite gotten it working with the
> following settings on exim 4.66:
>
> # SSL/TLS cert and key
> log_selector = +tls_cipher +tls_peerdn
> tls_certificate = /opt/exim/certs/exim.cert
> tls_privatekey = /opt/exim/certs/exim.key
> tls_verify_certificates = /opt/exim/certs/godaddy-bundle.cert
>
> # Advertise TLS to anyone
> tls_advertise_hosts = *
>
>
> When I test it from OS X's Mail.app, it tells me:
> "this certificate was signed by an unknown authority"
>
> When I first got this message, I realized I needed to install the Go
> Daddy cert bundle file (I don't know the official name) and so I did
> that and added the above tls_verify_certificates parameter. But I
> notice that cert file is not being read, even after a restart:
>
> $ ls -lut
> -r--r--r-- 1 exim staff 1749 Aug 28 11:05 exim.cert
> -r-------- 1 exim staff 891 Aug 28 11:05 exim.key
> -r--r--r-- 1 exim staff 4680 Aug 27 03:06 godaddy-bundle.cert
>
> I've also been getting error messages like this in the logs:
>
> TLS error on connection from nebula.nccom.com [198.51.175.31]
> (SSL_accept): error:00000000:lib(0):func(0):reason(0)
>
> Any ideas?
>
> Thanks...
>
> ...Jim
>
>
>
>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

eximusers at downhill

Aug 29, 2009, 12:25 AM

Post #3 of 3 (1792 views)
Permalink

Re: TLS certificate verification [In reply to]

Jim Gottlieb <jimmy [at] nccom> wrote:
> I've been using a self-signed certificate for years, but I finally
> decided to install a "real" one. I bought it from Go Daddy,
[...]
> tls_verify_certificates = /opt/exim/certs/godaddy-bundle.cert
[...]
> When I test it from OS X's Mail.app, it tells me:
> "this certificate was signed by an unknown authority"

> When I first got this message, I realized I needed to install the Go
> Daddy cert bundle file (I don't know the official name) and so I did
> that and added the above tls_verify_certificates parameter. But I
> notice that cert file is not being read, even after a restart:
[...]

You are mistaking the point of tls_verify_certificates. If a *client*
connecting to exim presents a certificate, exim will verificate this
one against the list of trusted ones in tls_verify_certificates.

OTOH if the client (Mail.app) wants to verify the cert exim is
presenting to it, the client will need to have access to the ca-cert
used to sign exim's cert.

BTW is your server accessible from the internet? We could try and check
whether we could verify the cert if it was.

cu andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads