[exim] TLS error on connect

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: [exim] TLS error on connect
Folks,

There *may* be an easy explanation for this - hopefully a wiser
head has such:

================================================================

2006-06-07 21:24:09 SMTP connection from [203.194.153.83]:60231
I=[203.194.153.81]:25 (TCP/IP connection count = 1)

2006-06-07 21:24:09 H=triligon.to [203.194.153.83]:60231
I=[203.194.153.81]:25 Warning: H= triligon.to 203.194.153.83
requesting new connection

2006-06-07 21:24:09 TLS error on connection from triligon.to
[203.194.153.83]:60231 (SSL_accept):
error:00000000:lib(0):func(0):reason(0)

2006-06-07 21:24:09 SMTP connection from triligon.to
[203.194.153.83]:60231 I=[203.194.153.81]:25 closed by EOF

=============================================================

triligon.to, on 203.194.153.83 has a mirror-image copy of the
Exim install on conducive.org, 203.194.153.81
*including the same TLS certs*, but is not a secondary MX in the
conventional sense.

Rather, it is a 'hot standby'.

'normally' it simply sits idle, sending out the daily cron-job
status reports (above).

IF/AS/WHEN the primary MX goes offline, this one does an IP
takeover, and 'becomes' the primary MX. Hence the rational for
identical SMTP and IMAP certs (and everything else - DB,
rsynced mail storage, etc.)

I believe(d) that the above error was because the cert(s)
offered are:

A) identical at both ends

B) reflect the IP of the 'on duty' box at both ends, not
triligon.to's 'standby' IP.

- but, oddly, swapping in a different cert with the 'current'
IP, and restarting Exim (even after a 'killall') did not change
the above error.

SSL/SSH rev and OS rev (FreeBSD 6.1 AMD-64) are the same at both
ends, as is hardware. The only difference is Maxtor drives (hot)
on one and Western Digital (barely warm) on the other.

A 'grep' finds a few - but *very* few - 'outsiders' getting the
same error, i.e. only 3 such in 7 months: My own laptop via
cable broadband, a friend's Mailman server, and one 'stranger'
with different return codes and a smidgen of extra info:

=================================================================
2006-06-01 04:11:37 TLS error on connection from
[202.64.125.135]:34069 (SSL_accept): error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

=================================================================

Any ideas as to where (else) I might start to look?

Thanks,

Bill Hacker