------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=674 --- Comment #5 from Phil Pennock <[EMAIL PROTECTED]> 2008-08-13 08:10:35 --- FWIW, this does not fail for me until I use tls_verify_hosts instead of tls_try_verify_hosts. For obvious reasons. 16291 LOG: MAIN 16291 SSL verify error: depth=1 error=certificate signature failure cert=/C=DE/ST=Hessen/L=Frankfurt/O=GUUG FFG 2008/OU=Example CA/CN=Martin Kaiser/[EMAIL PROTECTED] [...] 16291 LOG: MAIN 16291 TLS error on connection from (openssl.client.net) [127.0.0.1]:50863 (SSL_accept): error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm 16291 TLS failed to start [...] 16291 SMTP>> 554 Security failure Looking through the source for s_server.c in OpenSSL 0.9.8h I see it calls OpenSSL_add_all_algorithms() which adds all ciphers and all digests; that includes password-based ciphers, according to the man-page but I've no idea if that's likely to cause problems in a server expecting to work from a certificate. I guess the real question is whether or not it's bad to load all digests (and/or ciphers) when the Exim option tls_require_ciphers is set and whether or not we need a new tls_require_digests option (or if the ciphers option digest field stuff is sufficient for cert verification). If tls_require_ciphers is a saving throw, then what probably needs to happen is that the tls_require_ciphers option should have a reasonable default set, instead of being unset by default, and then we add a call to OpenSSL_add_all_algorithms(). Does anyone here have any expertise in this? If not, there are some people I can ask for help elsewhere. Anyone have any thoughts on what a reasonable default tls_require_ciphers would then be? I myself use: tls_require_ciphers = ALL:!SSLv2:!LOW:!EXPORT:!ADH:!aNULL:!NULL:!DES:@STRENGTH but some of that is belt&braces and perhaps disabling EXPORT ciphers isn't an appropriate default. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
