------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=674
Summary: exim can't verify sha256WithRSAEncryption signature in
X.509 certificates when linked against OpenSSL
Product: Exim
Version: 4.68
Platform: All
OS/Version: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
AssignedTo: nigel@exim.org
ReportedBy: eximBugzilla@kaiser.cx
CC: exim-dev@exim.org
Created an attachment (id=236)
--> (http://bugs.exim.org/attachment.cgi?id=236)
certs, private key for client cert
exim 4.68, linked against OpenSSL
(also tried older versions, both on Linux and FreeBSD)
configured to verify client certificates
tls_advertise_hosts = *
tls_certificate = <any server certificate>
tls_privatekey = <any private key file>
tls_try_verify_hosts = *
tls_verify_certificates = rootCaCert.pem
Root CA cert has sha256WithRSAEncryption.
The client certificate is signed by the root cert and also has a
sha256WithRSAEncryption.
Verification will fail because the signature can't be checked.
The problem is in src/tls-openssl.c, function tls_init()
exim calls OpenSSL_add_ssl_algorithms();
This function initializes sha1 but not sha256.
A simple solution/workaround is
--- tls-openssl.c.orig 2008-02-21 22:37:46.000000000 +0100
+++ tls-openssl.c 2008-02-21 22:38:12.000000000 +0100
@@ -295,6 +295,7 @@
{
SSL_load_error_strings(); /* basic set up */
OpenSSL_add_ssl_algorithms();
+OpenSSL_add_all_digests();
/* Create a context */
This solved the problem for me.
Of course, you could argue this is actually an OpenSSL issue...
I just had a look, the same issue exists in 4.69.
I attach a root cert and a client cert+key to help you track this down.
Please get back to me if you need more information.
Best regards,
Martin
--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email
--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=674
Summary: exim can't verify sha256WithRSAEncryption signature in
X.509 certificates when linked against OpenSSL
Product: Exim
Version: 4.68
Platform: All
OS/Version: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
AssignedTo: nigel@exim.org
ReportedBy: eximBugzilla@kaiser.cx
CC: exim-dev@exim.org
Created an attachment (id=236)
--> (http://bugs.exim.org/attachment.cgi?id=236)
certs, private key for client cert
exim 4.68, linked against OpenSSL
(also tried older versions, both on Linux and FreeBSD)
configured to verify client certificates
tls_advertise_hosts = *
tls_certificate = <any server certificate>
tls_privatekey = <any private key file>
tls_try_verify_hosts = *
tls_verify_certificates = rootCaCert.pem
Root CA cert has sha256WithRSAEncryption.
The client certificate is signed by the root cert and also has a
sha256WithRSAEncryption.
Verification will fail because the signature can't be checked.
The problem is in src/tls-openssl.c, function tls_init()
exim calls OpenSSL_add_ssl_algorithms();
This function initializes sha1 but not sha256.
A simple solution/workaround is
--- tls-openssl.c.orig 2008-02-21 22:37:46.000000000 +0100
+++ tls-openssl.c 2008-02-21 22:38:12.000000000 +0100
@@ -295,6 +295,7 @@
{
SSL_load_error_strings(); /* basic set up */
OpenSSL_add_ssl_algorithms();
+OpenSSL_add_all_digests();
/* Create a context */
This solved the problem for me.
Of course, you could argue this is actually an OpenSSL issue...
I just had a look, the same issue exists in 4.69.
I attach a root cert and a client cert+key to help you track this down.
Please get back to me if you need more information.
Best regards,
Martin
--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email
--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##