This is an exim client checking a server certificate.
35 files changed:
-.option tls_try_verify_hosts smtp "host list&!!" unset
+.option tls_try_verify_hosts smtp "host list&!!" *
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
This option gives a list of hosts for which, on encrypted connections,
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
This option gives a list of hosts for which, on encrypted connections,
For back-compatability,
if neither tls_verify_hosts nor tls_try_verify_hosts are set
For back-compatability,
if neither tls_verify_hosts nor tls_try_verify_hosts are set
+(a single-colon empty list counts as being set)
and certificate verification fails the TLS connection is closed.
and certificate verification fails the TLS connection is closed.
default to the word "system" to access the system default CA bundle.
For GnuTLS, only version 3.0.20 or later.
default to the word "system" to access the system default CA bundle.
For GnuTLS, only version 3.0.20 or later.
+JH/06 Verification of the server certificate for a TLS connection is now tried
+ (but not required) by default.
+
Exim version 4.85
-----------------
Exim version 4.85
-----------------
in that case, certificate verification fails, which seems to be the correct
behaviour. */
in that case, certificate verification fails, which seems to be the correct
behaviour. */
-if ( state->tls_verify_certificates && *state->tls_verify_certificates
-#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
- && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0
-#endif
- )
+if (state->tls_verify_certificates && *state->tls_verify_certificates)
{
if (!expand_check_tlsvar(tls_verify_certificates))
return DEFER;
{
if (!expand_check_tlsvar(tls_verify_certificates))
return DEFER;
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+ if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
+ state->exp_tls_verify_certificates = NULL;
+#endif
if (state->tls_crl && *state->tls_crl)
if (!expand_check_tlsvar(tls_crl))
return DEFER;
if (state->tls_crl && *state->tls_crl)
if (!expand_check_tlsvar(tls_crl))
return DEFER;
if ( ( state->exp_tls_verify_certificates
&& !ob->tls_verify_hosts
if ( ( state->exp_tls_verify_certificates
&& !ob->tls_verify_hosts
- && !ob->tls_try_verify_hosts
+ && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
)
|| verify_check_given_host(&ob->tls_verify_hosts, host) == OK
)
)
|| verify_check_given_host(&ob->tls_verify_hosts, host) == OK
)
set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
the specified host patterns if one of them is defined */
set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
the specified host patterns if one of them is defined */
-if ( (!ob->tls_verify_hosts && !ob->tls_try_verify_hosts)
+if ( ( !ob->tls_verify_hosts
+ && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
+ )
|| (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
)
client_verify_optional = FALSE;
|| (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
)
client_verify_optional = FALSE;
/* tls_dh_min_bits */
TRUE, /* tls_tempfail_tryclear */
NULL, /* tls_verify_hosts */
/* tls_dh_min_bits */
TRUE, /* tls_tempfail_tryclear */
NULL, /* tls_verify_hosts */
- NULL, /* tls_try_verify_hosts */
+ US"*", /* tls_try_verify_hosts */
US"*" /* tls_verify_cert_hostnames */
#endif
#ifndef DISABLE_DKIM
US"*" /* tls_verify_cert_hostnames */
#endif
#ifndef DISABLE_DKIM
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
tls_privatekey = CERT2
tls_verify_certificates = CA2
tls_privatekey = CERT2
tls_verify_certificates = CA2
tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
+ tls_try_verify_hosts = :
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
tls_privatekey = CERT2
tls_verify_certificates = CA2
tls_privatekey = CERT2
tls_verify_certificates = CA2
tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
allow_localhost
hosts = 127.0.0.1
port = PORT_D
allow_localhost
hosts = 127.0.0.1
port = PORT_D
+ tls_try_verify_hosts = :
hosts = 127.0.0.1
hosts_nopass_tls = *
port = PORT_D
hosts = 127.0.0.1
hosts_nopass_tls = *
port = PORT_D
+ tls_try_verify_hosts = :
hosts_require_tls = HOSTIPV4
tls_require_ciphers = DES-CBC3-SHA
port = PORT_D
hosts_require_tls = HOSTIPV4
tls_require_ciphers = DES-CBC3-SHA
port = PORT_D
+ tls_try_verify_hosts = :
hosts = 127.0.0.1 : HOSTIPV4
port = PORT_D
allow_localhost
hosts = 127.0.0.1 : HOSTIPV4
port = PORT_D
allow_localhost
+ tls_try_verify_hosts = :
allow_localhost
hosts = ${if eq{$local_part}{userx}{127.0.0.1}{HOSTIPV4}}
port = PORT_D
allow_localhost
hosts = ${if eq{$local_part}{userx}{127.0.0.1}{HOSTIPV4}}
port = PORT_D
+ tls_try_verify_hosts = :
hosts = HOSTIPV4
port = PORT_D
tls_sni = fred
hosts = HOSTIPV4
port = PORT_D
tls_sni = fred
+ tls_try_verify_hosts = :
send_to_server2:
driver = smtp
allow_localhost
hosts = HOSTIPV4
port = PORT_D
send_to_server2:
driver = smtp
allow_localhost
hosts = HOSTIPV4
port = PORT_D
+ tls_try_verify_hosts = :
port = PORT_D
tls_sni = fred
hosts_require_tls = *
port = PORT_D
tls_sni = fred
hosts_require_tls = *
+ tls_try_verify_hosts = :
send_to_server2:
driver = smtp
send_to_server2:
driver = smtp
port = PORT_D
tls_sni = bill
hosts_require_tls = *
port = PORT_D
tls_sni = bill
hosts_require_tls = *
+ tls_try_verify_hosts = :
allow_localhost
hosts = 127.0.0.1
port = PORT_D
allow_localhost
hosts = 127.0.0.1
port = PORT_D
+ tls_try_verify_hosts = :
hosts = 127.0.0.1
hosts_try_auth = *
port = PORT_D
hosts = 127.0.0.1
hosts_try_auth = *
port = PORT_D
+ tls_try_verify_hosts = :
hosts = 127.0.0.1
hosts_try_auth = *
port = PORT_D
hosts = 127.0.0.1
hosts_try_auth = *
port = PORT_D
+ tls_try_verify_hosts = :
hosts = 127.0.0.1
port = PORT_D
hosts_avoid_tls = HOSTS_AVOID_TLS
hosts = 127.0.0.1
port = PORT_D
hosts_avoid_tls = HOSTS_AVOID_TLS
+ tls_try_verify_hosts = :
hosts_require_auth = *
allow_localhost
hosts_require_auth = *
allow_localhost
port = PORT_D
hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}}
hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}}
port = PORT_D
hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}}
hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}}
+ tls_try_verify_hosts = :
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
${if eq {$local_part}{good}\
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
${if eq {$local_part}{good}\
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
tls_verify_cert_hostnames =
event_action = ${acl {logger} {$event_name} {$domain} }
tls_verify_cert_hostnames =
event_action = ${acl {logger} {$event_name} {$domain} }
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
tls_verify_cert_hostnames =
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
tls_verify_cert_hostnames =
event_action = ${acl {logger} {$event_name} {$domain} }
event_action = ${acl {logger} {$event_name} {$domain} }
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1]: a TLS session is required, but the server did not offer TLS support
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1]: a TLS session is required, but the server did not offer TLS support
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:DES-CBC3-SHA:168 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:DES-CBC3-SHA:168 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
+LOG: MAIN
+ SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+LOG: MAIN
+ SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
SMTP>> EHLO helo.data.changed
SMTP<< 250-myhost.test.ex Hello helo.data.changed [127.0.0.1]
250-SIZE 52428800
SMTP>> EHLO helo.data.changed
SMTP<< 250-myhost.test.ex Hello helo.data.changed [127.0.0.1]
250-SIZE 52428800
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
+LOG: MAIN
+ SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+LOG: MAIN
+ SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
SMTP>> EHLO helo.data.changed
SMTP<< 250-myhost.test.ex Hello helo.data.changed [127.0.0.1]
250-SIZE 52428800
SMTP>> EHLO helo.data.changed
SMTP<< 250-myhost.test.ex Hello helo.data.changed [127.0.0.1]
250-SIZE 52428800
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
+LOG: MAIN
+ SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+LOG: MAIN
+ SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
SMTP<< 220 TLS go ahead
127.0.0.1 in hosts_require_ocsp? no (option unset)
127.0.0.1 in hosts_request_ocsp? yes (matched "*")
SMTP<< 220 TLS go ahead
127.0.0.1 in hosts_require_ocsp? no (option unset)
127.0.0.1 in hosts_request_ocsp? yes (matched "*")
-127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*")
+127.0.0.1 in tls_verify_hosts? no (option unset)
+127.0.0.1 in tls_try_verify_hosts? no (end of list)
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
127.0.0.1 in tls_verify_hosts? no (option unset)
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
127.0.0.1 in tls_verify_hosts? no (option unset)
-127.0.0.1 in tls_try_verify_hosts? no (option unset)
+127.0.0.1 in tls_try_verify_hosts? yes (matched "*")
+127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*")
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800