Re: [exim] massive increase in SSL handshake failures after …

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] massive increase in SSL handshake failures after root-CA update
On Mon, Jan 20, 2014 at 02:02:49PM +0100, Wolfgang Breyha wrote:

> I see a massive increase in SSL handshake failures after updating the
> ca-certificates RPM last Friday. I can't tell what exactly happens, but some
> facts:
>
> *) exim-4.82
> *) openssl 1.0.1e
> *) ca-certificates-2013.1.95-65.1.el6_5.noarch
>   *) revision till Friday: ca-certificates-2010.63-3.el6_1.5.noarch.rpm
> *) tls_try_verify_hosts = *
>    tls_verify_certificates = /etc/pki/tls/cert.pem


In Postfix we recommend the following:

    - Don't request client certificates on the default SMTP port.


    # default
    smtpd_tls_ask_ccert = no

    
    - Optionally request these on a dedicated submission port dedicated for
      clients that authenticate via client certs.


    # master.cf
    2525 inet ... smtpd
        -o smtpd_tls_ask_ccert=yes
        ...


    - Configure a short SMTP server CAfile (possibly empty), at least with
      OpenSSL, only the CAfile authority subject DNs are added to the client
      certificate request.


    # Typically empty!
    smtpd_tls_CAfile = 


    - If the SMTP server needs to validate client certificates against a
      set of trusted authorities use a CApath directory for that.  These
      are not included in the client certificate request.


    smtpd_tls_CApath = /some/certs/directory


Don't know how this translates to Exim, but there are likely similar
configuration settings. Postfix by default ignores the default CA
cert locations compiled into OpenSSL. Only CAs explicitly designated
by the user are used.

-- 
    Viktor.