On 2009-04-07 Stephen Gran <[email protected]> wrote: > This one time, at band camp, Andreas Metzler said: >> On 2009-04-05 Stephen Gran <[email protected]> wrote: >> have just tried to reproduce this. Both sides are running lenny. The >> client is running basically the vanilla debian config with these >> changes: >> The testserver is also running on port 1111 with a self-signed certificate, >> it has set tls_try_verify_hosts = * and >> tls_verify_certificates = afile/with/just/theclientcert.
> I am using it with the ca.crt in that file, as I'm interested in > validating more than just a single client cert. >> * Server: * >> 31998 host in tls_try_verify_hosts? yes (matched "*") >> 31998 initialized GnuTLS session >> 31998 SMTP>> 220 TLS go ahead >> 31998 gnutls_handshake was successful >> 31998 TLS certificate verified: peerdn=C=AT,ST=Austria,CN=client.bebt.de >> 31998 cipher: TLS1.0:RSA_AES_256_CBC_SHA1:32 >> Which looks fine to me. The server asks for a certificate, the >> clients sends it. I am sure to have missed something obvious. ;-) > This does not happen if the server cert presented is not signed by the > same CA as the client cert. Hello, I still fail to reproduce this when using non-selfsigned certs. Following Manojs quick howto http://www.golden-gryphon.com/blog/manoj//blog/2009/03/31/Fighting_FUD__58___Working_with_openssl/ I have built two ca-certs and have signed one certificate in each one. One goes to the server, one goes to the client, the server gets the cacert signing the client cert in tls_verify_certificates. 10337 SMTP>> 220 TLS go ahead 10337 gnutls_handshake was successful 10337 TLS certificate verified: peerdn=C=AT,ST=Vorarlberg,O=Andreas Tests,CN=test-cli-clientcert 10337 cipher: TLS1.0:RSA_AES_256_CBC_SHA1:32 cu andreas -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
