Re: [exim-dev] pgsql lookup TLS access broken in 4.82 RC2 ?

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Axel Rau
CC: Exim Dev
Subject: Re: [exim-dev] pgsql lookup TLS access broken in 4.82 RC2 ?
On 2013-10-07 at 18:01 +0200, Axel Rau wrote:
> All my mail servers use a pgsql lookup via TLS.
> After upgrading to 4.82 RC2, I'm getting:
> ---
> …DEFER: PGSQL connection failed: SSL error: tlsv1 alert unknown ca


This tells me that the certificate authority used to issue the
certificate used by the Postgres server is not recognised by the SSL
libraries used by Exim.

> In the pgsql log:
> ---
> "could not accept SSL connection: no certificate returned",,,,,,,,,""


That's the server logging the termination reason given by the client
during its clean shutdown.

> -r--r--r--  1 root      daemon  2565 Aug  4 14:14 ca_cert.pem
> lrwxr-xr-x  1 root      daemon    31 Sep  8 17:51 postgresql.crt -> maileserver.at.some.domain_server_cert.pem
> lrwxr-xr-x  1 root      daemon    30 Sep  8 17:51 postgresql.key -> maileserver.at.some.domain_server_key.pem
> lrwxr-xr-x  1 root      daemon    11 Sep  8 17:51 root.crt -> ca_cert.pem


Okay, and is that ca_cert.pem also used in the system SSL store?

Are you sure that nothing got updated in the Exim area? I note that the
dates on those files are only a month ago: did someone deploy the change
live and "fix" the certificate store live but not check the change into
the SCM, so that spinning up an Exim box with an RC on it did not get
the fix?

> Something has changed here or is broken in RC2.


Compared to which release of Exim?

Agreed that if Exim is being more strict by default, then this needs to
be called out in README.UPDATING as an issue. Note though that pgsql.c
has not changed since the previous release and the only changes I know
of around TLS behaviour relate specifically to the LDAP support.

In fact, Exim doesn't do _any_ explicit initialisation of TLS for the
pgsql lookup; we don't support using pgsql: schema URLs; we use an older
API for initialisation, `PQsetdbLogin()`, and the only place we might
supply the options is specified as NULL. So a PGOPTIONS environment
variable will be honoured; is it possible that you have $PGOPTIONS
defined in environ when starting the RC, but not in the system startup
scripts?

There have been a number of TLS changes, which _should_ relate only to
TLS in SMTP, and were made to support cut-through delivery. As rampant
speculation, I can hypothesize that Exim initialises TLS in OpenSSL
differently and this now carries through to the use made by libpq of
OpenSSL. But I don't think so.

-Phil