[Help-gnutls] Exim + (GNU)TLS + Outlook + tls_try_verify_hosts

Heiko Schlittermann hs at schlittermann.de
Fri Jun 19 15:29:21 CEST 2009


I'll post my question already sent to exim-user, because I think, the
mentioned problem is more related to GNUTLS than to exim.

About the mentioned library version I'm not sure for 100%, but ldd
reports libgnutls.so.26.

----- Forwarded message from Heiko Schlittermann <hs at schlittermann.de> -----

Date: Fri, 19 Jun 2009 13:59:20 +0200
From: Heiko Schlittermann <hs at schlittermann.de>
To: Exim Users List <exim-users at exim.org>
Sender: exim-users-bounces at exim.org
Subject: [exim] Exim + (GNU)TLS + Outlook + tls_try_verify_hosts


after resolving the issues with certs not verified by GNUTLS (because of
the wrong signature algorithm) we experience some other problem:

Whenever requesting a client certificate (tls_try_verify_hosts), the
client (Outlook Express) does not successfully connect. Without
requesting a certificate, TLS/SSL works.

On the server: Exim4 4.69 + GNUTLS 2.6(.4), on the client side some
Outlook (currently OE 6.0, but I think the version is not important
here). The servers options are

   tls_advertise_hosts = *
   tls_certificate = /etc/ssl/certs/ssl.schlittermann.de.crt
   tls_on_connect_ports = 465
   tls_privatekey = /etc/ssl/private/ssl.schlittermann.de.key
   tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt
   tls_try_verify_hosts = *¹
   tls_verify_hosts = 

¹) I need this, because some (verified) certs are used for

Other TLS relevant options are not set.

The client complains with error code 0x800CCC0F (it seems to be quite

With older versions of GNUTLS (used on some other server with Exim 4.68
+ GNUTLS 1.3.x) it works. Clients other than outlook connect.

When I switch off the exim and simulate a server using "openssl s_server
...", I can successfully simulate the session, attempting the same with 
"gnutls-serv ..." hangs after "sending CERTIFICATE REQUEST" to the

My questions:

    * does anybody else experience this problem? (I found something
      using google, but nothing related to outlook and GNUTLS)?

    * do I really have to link exim agains the OpenSSL libs? (I do not
      like it, because of the maintenance issue)

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -

## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: </pipermail/attachments/20090619/6a1d3078/attachment.pgp>

More information about the Gnutls-help mailing list