Auteur: Phil Pennock Date: À: esms11 CC: exim-users Sujet: Re: [exim] exim after upgrade etch to lenny
On 2009-03-01 at 23:10 +0100, esms11@??? wrote: > Support for: crypteq iconv() PAM TCPwrappers OpenSSL > 1758 Calling SSL_accept
> 1758 SSL info: before/accept initialization
> 1758 SSL info: before/accept initialization
> 1758 SSL info: SSLv3 read client hello A
> 1758 SSL info: SSLv3 write server hello A
> 1758 SSL info: SSLv3 write certificate A
> 1758 SSL info: SSLv3 write key exchange A
> 1758 SSL info: SSLv3 write server done A
> 1758 SSL info: SSLv3 flush data
> 1758 SSL info: SSLv3 read client certificate A
> 1758 LOG: MAIN
> 1758 TLS error on connection from FQDN_CLIENT [IP_CLIENT]
> (SSL_accept): error:00000000:lib(0):func(0):reason(0)
I believe this means that the SSL session was torn down cleanly, which
means that the client rejected the connection.
If I understand you correctly, this is the same client used on both the
WAN and the LAN, so the client *does* support the SSL certificate
authority used?
Did any hostnames change in the upgrade? At this point, if the client
does support the SSL CA, then I suspect that the "X509v3 Subject
Alternative Name" (subjectAltName) field does not include the hostname
used when connecting from the WAN.
If you look at the /path/to/ssl.cert/eximcs.crt file with:
openssl x509 -in eximcs.crt -noout -text | less
then do you see *all* the hostnames used by the remote client in the
subjectAltName field?
In any case, I think you need to be looking at the debug output on the
client side to see why it's rejecting the SSLv3 setup and use that to
diagnose what's happening with your Exim setup.