Le 22/11/13 18:22, Philippe Lelidy a icrit :
-3- I have a S/MIME certificate in my UA, but lacks ca file, so I get:
debug: lka: X509 verify: unable to get local issuer certificate
Hence, it seems that OpenSMTPD has this undocumented feature that it
is able to authenticate using X509 certificate. Will give it a try.
SUCCESS.
It was my misunderstanding of OpenSSL and CA. Now it is OK :
smtp-in: Client certificate verification succeeded on session
b28ae6965be3335d
The message debug: lka: X509 verify: unable to get local issuer certificate
was an OpenSSL message. What I did for debugging is
openssl verify -CAfile sub.class1.client.bundle.pem my-mine.cert
It is important to understand that the pki smtpd.conf parameters
certificate and key are here for the client trust the server but the ca
parameter is here for the server to trust the certificat of the client.
Hence I had to make a bundle with sub.class1.client.ca and not the
sub.class1.server.ca !
It is very clever that OpenSMTPD messages about SSL be exactcly the
messages issued by OpenSSL, it helps debugging.
But the certicate validation is not yet used at all by OpenSMTPD auth !
Only the password matters.
Ph. Le.
