------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1557 Summary: 4.85rc1/2 delivers unencrypted if hosts_try_dane used ... Product: Exim Version: 4.84 Platform: x86 OS/Version: Linux Status: NEW Severity: bug Priority: medium Component: TLS AssignedTo: [email protected] ReportedBy: [email protected] CC: [email protected] I used the following transport config up to 4.84: remote_smtp: driver = smtp ... tls_certificate = /etc/pki/....pem tls_privatekey = /etc/pki/....key tls_verify_certificates = /etc/pki/tls/cert.pem tls_try_verify_hosts = * ... and Exim delivered encrypted to hosts with self-signed certs which fail verification. I tested 4.85rc1 and rc2 DANE support (with OpenSSL) and changed to # tls_try_verify_hosts = * dnssec_request_domains = * hosts_try_dane = * Exim gets correct DANE results reporting CV=dane if available, but if delivering to hosts *without* DANE DNS RRs, but with self-signed certs (or verification fails due to other reasons) it falls back to unencrypted delivery as if tls_verify_hosts was used. Log shows eg: 2014-12-03 09:42:13 1Xw5Vl-0008IC-J4 H=xxxxxxx.xxxxxx.xxx [xxx.xxx.xx.xx] TLS error on connection (SSL_connect): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2014-12-03 09:42:13 1Xw5Vl-0008IC-J4 TLS session failure: delivering unencrypted to xxxxxxx.xxxxxx.xxx [xxx.xxx.xx.xx] (not in hosts_require_tls) -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
