Re: [exim] Exim Retaining Non-Existant SSL Certificates

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Graham Christensen
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] Exim Retaining Non-Existant SSL Certificates
Phil,

This is referring to the server-to-client communication. The weird part
is, even when I clear the cache entirely and try again, it still gets
the old one. I don't know of any errors in regards of server-to-server
communication. Is there still a possible issue with mismatching
certificates in the cache?

Thanks,
Graham Christensen

http://itrebal.com - Customized Web Hosting
Graham.Christensen@???



Phil Pennock wrote:
> On 2008-03-27 at 17:58 -0400, Graham Christensen wrote:
>
>> I installed Exim4 right about a year ago on Etch. About a month or two
>> after that I setup SSL on outgoing mail, and accidentally set it up with
>> an incorrect certificate with the wrong Common Name in the certificate.
>> I've replaced the certificate with a correct one, but Exim still seems
>> to "remember" that old certificate.
>>
>> When I run `exim -bP tls_certificate` it outputs the correct
>> certificate, and when I run ` openssl x509 -in
>> /path/to/the/certificate.crt -noout -text` it works just fine.
>>
>> The problem comes when I actually try to send an email - it gets the old
>> certificate with the old, incorrect CN.
>>
>
> Which bit of communication is this with? Do you mean Exim sending
> server-to-server using a client certificate? If so, that's the
> tls_certificate option on the smtp transport, not the global
> tls_certificate option. Use:
> exim -bP transport remote_smtp | grep '^tls_certificate'
>
> If you mean, when you try to submit the mail to the Exim server, then
> you're looking at the possibility that the client has cached the server
> certificate, rather than the server returning the old certificate. I've
> seen various clients cache excessively, to the point of returning
> incorrect old data, when you have two certificates with the same issuer
> and the same serial number -- replacing a cert whilst keeping the same
> (issuer,serial) pair is a mistake; if getting a new cert isn't an
> option, then on every client you'll need to delete the cert, shut down
> the client completely, then start the client and try to load in the new
> cert.
>
> -Phil
>
>