Discussion:
[Pkg-exim4-users] tls_verify_certificates = system
Calum Mackay
2015-09-06 01:18:40 UTC
Permalink
hi all,

I tried to use the new option to use the system standard CA bundle (new
in 4.86), for certificate verification.

I tried overriding:

MAIN_TLS_VERIFY_CERTIFICATES = system

as per spec Ch.14.

But when I did this, all certificate verification stopped working. When
I reverted to the pkg default (appended), all started working again.

I'm running on sid, so my GNU TLS is 3.3.17, exim 4.86-3 (heavy).


Presumably I'm doing something wrong, but I don't see it. Any ideas, please?

thanks much indeed.

best regards,
calum.


.ifndef MAIN_TLS_VERIFY_CERTIFICATES
MAIN_TLS_VERIFY_CERTIFICATES = ${if
exists{/etc/ssl/certs/ca-certificates.crt}\
{/etc/ssl/certs/ca-certificates.crt}\
{/dev/null}}
.endif
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
Calum Mackay
2015-09-07 16:30:37 UTC
Permalink
thanks for the reply, Marc,
Post by Calum Mackay
MAIN_TLS_VERIFY_CERTIFICATES = system
as per spec Ch.14.
This pointed exim to a certificates file called "system". Is that
what you wanted?
I might have overlooked it, but spec.txt chapter 14 does not seem to
indicate that "system" is a valid or special setting.
The value of this option is expanded, and must then be either the
word "system" or the absolute path to a file or directory containing
permitted certificates for clients that match tls_verify_hosts or
tls_try_verify_hosts.
The "system" value for the option will use a system default location
compiled into the SSL library. This is not available for GnuTLS
versions preceding 3.0.20, and will be taken as empty; an explicit
location must be specified.
This "system" value is new in 4.86, which is what I'm running (sid).


I read this as a tidy way to avoid hard-coding the Debian
ca-certificates location into the config. It's not a big deal, obviously.


thanks much,

cheers,
calum.
Calum Mackay
2015-09-12 23:46:07 UTC
Permalink
Post by Calum Mackay
This "system" value is new in 4.86, which is what I'm running (sid).
I read this as a tidy way to avoid hard-coding the Debian
ca-certificates location into the config. It's not a big deal, obviously.
Any further thoughts on this one, please?


thanks much indeed.

cheers,
calum.
Andreas Metzler
2015-09-24 17:36:50 UTC
Permalink
Post by Calum Mackay
Post by Calum Mackay
This "system" value is new in 4.86, which is what I'm running (sid).
I read this as a tidy way to avoid hard-coding the Debian
ca-certificates location into the config. It's not a big deal, obviously.
Any further thoughts on this one, please?
Hello,

afaict this happens because GnuTLS on Debian is not built with
--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Calum Mackay
2015-09-25 18:24:45 UTC
Permalink
Post by Andreas Metzler
afaict this happens because GnuTLS on Debian is not built with
--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt.
thanks very much Andreas, that explains it.

Is that perhaps worth me logging a bug/rfe against libgnutls, noting this?

Also, should README.Debian note that the "system" value should not be used?

thanks,
calum.
Andreas Metzler
2015-09-26 05:57:17 UTC
Permalink
Post by Calum Mackay
Post by Andreas Metzler
afaict this happens because GnuTLS on Debian is not built with
--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt.
thanks very much Andreas, that explains it.
Is that perhaps worth me logging a bug/rfe against libgnutls, noting this?
Grrr, looking at the buildlog I see that I am wrong, gnutls is using the
configure flag.
Post by Calum Mackay
Also, should README.Debian note that the "system" value should not be used?
I will investigate further.

sorry, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Andreas Metzler
2015-09-27 16:22:18 UTC
Permalink
[ tls_verify_certificates=system]
Post by Andreas Metzler
I will investigate further.
Exim's GnuTLS version check for this feature is broken:
https://bugs.exim.org/show_bug.cgi?id=1691

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Calum Mackay
2015-09-27 16:52:07 UTC
Permalink
Post by Andreas Metzler
https://bugs.exim.org/show_bug.cgi?id=1691
oh good spot, thanks very much indeed, Andreas.

cheers,
calum.

Loading...