On 2012-05-15 at 01:16 +0100, Jeremy Harris wrote: > I'm confused by testcase 2112. The script comment:
I was. I'm not now, but do think we need better comments explaining WTH is going on. It's non-trivial. > 1999-03-02 09:44:33 Start queue run: pid=pppp -qf > 1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self > signed certificate cert=/C=UK/L=Cambridge/O=University of > Cambridge/OU=Computing Service/CN=Philip Hazel > 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to > ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>> > 1999-03-02 09:44:33 10HmaX-0005vi-00 => [email protected] R=client > T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes > DN="/C=UK/L=Cambridge/O=University of Cambridge/OU=Computing > Service/CN=Philip Hazel" So to be clear here: there are two different connection attempts. Attempt 1 is to HOSTIPV4, when the client attempts to validate the server certificate, and fails the connection if not. Because hosts_require_tls is set, the message can't be sent plaintext, so the second IP in the hosts list is tried, 127.0.0.1. There are two key/cert pairs in aux-fixed/, cert1 and cert2. The client presents the same certificate each time. That's tls_certificate in the transport, always "cert2". The *verification* CA information, for information expected *from* the server, is set in tls_verify_certificates on the transport. That changes, depending upon the remote IP address. The *server* config always presents cert1 and expects cert2. So the server always gets the cert it expects. The client config expects cert1 on 127.0.0.1, and cert2 otherwise. Since the server is always presenting cert1, the client configuration fails the first connection (HOSTIPV4) and succeeds on the second connection, 127.0.0.1. Thus the logging is correct and CV is always correct. It's just that the configuration demands different server identity on log-line 3 and log-line 4 above. Feel free to add waaay more commentary to that test script. :) -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
