------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=674 Summary: exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL Product: Exim Version: 4.68 Platform: All OS/Version: Linux Status: NEW Severity: bug Priority: medium Component: TLS AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] CC: [email protected] Created an attachment (id=236) --> (http://bugs.exim.org/attachment.cgi?id=236) certs, private key for client cert exim 4.68, linked against OpenSSL (also tried older versions, both on Linux and FreeBSD) configured to verify client certificates tls_advertise_hosts = * tls_certificate = <any server certificate> tls_privatekey = <any private key file> tls_try_verify_hosts = * tls_verify_certificates = rootCaCert.pem Root CA cert has sha256WithRSAEncryption. The client certificate is signed by the root cert and also has a sha256WithRSAEncryption. Verification will fail because the signature can't be checked. The problem is in src/tls-openssl.c, function tls_init() exim calls OpenSSL_add_ssl_algorithms(); This function initializes sha1 but not sha256. A simple solution/workaround is --- tls-openssl.c.orig 2008-02-21 22:37:46.000000000 +0100 +++ tls-openssl.c 2008-02-21 22:38:12.000000000 +0100 @@ -295,6 +295,7 @@ { SSL_load_error_strings(); /* basic set up */ OpenSSL_add_ssl_algorithms(); +OpenSSL_add_all_digests(); /* Create a context */ This solved the problem for me. Of course, you could argue this is actually an OpenSSL issue... I just had a look, the same issue exists in 4.69. I attach a root cert and a client cert+key to help you track this down. Please get back to me if you need more information. Best regards, Martin -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
