Re: [exim] Exim Retaining Non-Existant SSL Certificates

Top Page
Delete this message
Reply to this message
Author: Graham Christensen
Date:  
To: exim-users
Subject: Re: [exim] Exim Retaining Non-Existant SSL Certificates
Alright, I just ran the command to ssl'ize the connection, and the
certificate being used is the incorrect one, with the old information
(also expired at this point.) I'm not sure on how exactly to debug this,
seeing as the SSL certificate *is* correct.

Graham

Graham Christensen

http://itrebal.com - Customized Web Hosting
Graham.Christensen@???



Phil Pennock wrote:
> On 2008-03-28 at 19:38 -0400, Graham Christensen wrote:
>
>> This is referring to the server-to-client communication. The weird part
>> is, even when I clear the cache entirely and try again, it still gets
>> the old one. I don't know of any errors in regards of server-to-server
>> communication. Is there still a possible issue with mismatching
>> certificates in the cache?
>>
>
> Okay, first verify that the server is serving up the new certificate.
> If you listen on smtps (SSL-on-connect) then this:
> openssl s_client -showcerts -connect localhost:smtps
> will show you the PEM-encoded certificate, which you've already
> demonstrated you know how to feed into "openssl x509".
>
> There are various tools to dump certs from SMTP; I just stuck a short
> Perl script up at:
> http://people.spodhuis.org/phil.pennock/software/smtp_tls_cert.pl
> smtp_tls_cert.pl has a dependency upon Net::SSLeay, which is a very
> common dependency for SSL/TLS in Perl. The script assumes submission
> port, it's hard-coded and I never bothered changing that.
>
> If you can confirm that the server is fine, then you're onto looking at
> the clients. Not Exim-specific, but commonly an issue encountered by
> mail-admin and not too far off-topic for the list, IMO.
>
> What sort of certificate are you using? Self-signed, private CA,
> purchased certificate? If purchased, complain and get a new one. If a
> private CA, issue yourself a new cert with a new serial number. If you
> replaced the CA cert itself, then it's the CA cert which you need to
> purge. If it's a self-signed cert, then it's that in particular.
>
> The client's not so much "caching" the cert, as it is keeping hold of a
> known-good copy for future comparison. Clearing normal caches won't
> touch it. With a client such as Thunderbird, you need to go to the
> Certificate Manager (Preferences/Options/Whatever, Advanced,
> Certificates, View Certificates). For a self-signed server cert, look
> at "Web Sites", because to Mozilla all the world is a web-site,
> including SMTP and IMAP and POP3 servers. ;^) If a private CA, look
> under Authorities.
>
> Delete the defunct bad cert, close and shut down the program. If you
> try and load the correct cert back in after deleting, then some programs
> (the Mozilla ones in particular) will just silently load back in the old
> cert, ignoring the new one. Quit, let it shut down, then start a clean
> new instance and load the cert into that one.
>
> If that doesn't help, I'll need details of whether or not the
> certificate you saw raw was correct (if so, client bug); if it's
> server-specific, any more details which came to light there. If it's
> client-specific, hopefully by this point you'll have enough data to ask
> in the fora of that mail-client (but you should be okay asking here,
> it's far less off-topic than many other threads as it will be about a
> program which actually talks directly to Exim ;^) ).
>
> -Phil
>
>