Re: [exim] Exim Retaining Non-Existant SSL Certificates

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Graham Christensen
CC: exim-users
Subject: Re: [exim] Exim Retaining Non-Existant SSL Certificates
On 2008-03-28 at 19:38 -0400, Graham Christensen wrote:
> This is referring to the server-to-client communication. The weird part
> is, even when I clear the cache entirely and try again, it still gets
> the old one. I don't know of any errors in regards of server-to-server
> communication. Is there still a possible issue with mismatching
> certificates in the cache?


Okay, first verify that the server is serving up the new certificate.
If you listen on smtps (SSL-on-connect) then this:
openssl s_client -showcerts -connect localhost:smtps
will show you the PEM-encoded certificate, which you've already
demonstrated you know how to feed into "openssl x509".

There are various tools to dump certs from SMTP; I just stuck a short
Perl script up at:
http://people.spodhuis.org/phil.pennock/software/smtp_tls_cert.pl
smtp_tls_cert.pl has a dependency upon Net::SSLeay, which is a very
common dependency for SSL/TLS in Perl. The script assumes submission
port, it's hard-coded and I never bothered changing that.

If you can confirm that the server is fine, then you're onto looking at
the clients. Not Exim-specific, but commonly an issue encountered by
mail-admin and not too far off-topic for the list, IMO.

What sort of certificate are you using? Self-signed, private CA,
purchased certificate? If purchased, complain and get a new one. If a
private CA, issue yourself a new cert with a new serial number. If you
replaced the CA cert itself, then it's the CA cert which you need to
purge. If it's a self-signed cert, then it's that in particular.

The client's not so much "caching" the cert, as it is keeping hold of a
known-good copy for future comparison. Clearing normal caches won't
touch it. With a client such as Thunderbird, you need to go to the
Certificate Manager (Preferences/Options/Whatever, Advanced,
Certificates, View Certificates). For a self-signed server cert, look
at "Web Sites", because to Mozilla all the world is a web-site,
including SMTP and IMAP and POP3 servers. ;^) If a private CA, look
under Authorities.

Delete the defunct bad cert, close and shut down the program. If you
try and load the correct cert back in after deleting, then some programs
(the Mozilla ones in particular) will just silently load back in the old
cert, ignoring the new one. Quit, let it shut down, then start a clean
new instance and load the cert into that one.

If that doesn't help, I'll need details of whether or not the
certificate you saw raw was correct (if so, client bug); if it's
server-specific, any more details which came to light there. If it's
client-specific, hopefully by this point you'll have enough data to ask
in the fora of that mail-client (but you should be okay asking here,
it's far less off-topic than many other threads as it will be about a
program which actually talks directly to Exim ;^) ).

-Phil