[exim-dev] OpenSSL certificate verification failure logging

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Jeremy Harris
Datum:  
To: exim-dev
Betreff: [exim-dev] OpenSSL certificate verification failure logging
... is noisy in mainlog. It has been forever, I think;
the code line has always (in git terms) been there.
Perhaps it's only the growth in use of certificates.
You get blocks like:

2014-06-16 01:22:22 +0000 SSL verify error: depth=1 error=self signed
certificate in certificate chain cert=/C=US/O=RTFM, Inc./OU=Widgets
Division/CN=Test CA20010517
2014-06-16 01:22:22 +0000 SSL verify error: depth=1 error=invalid CA
certificate cert=/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
2014-06-16 01:22:22 +0000 SSL verify error: depth=1 error=unsupported
certificate purpose cert=/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test
CA20010517
2014-06-16 01:22:22 +0000 SSL verify error: depth=1 error=certificate
has expired cert=/C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
2014-06-16 01:22:22 +0000 SSL verify error: depth=0 error=certificate
has expired cert=/C=US/O=RTFM, Inc./OU=Widgets Division/CN=localhost

(that one's a standard "example certificate" - and someone is serving
it up!)

and every self-signed cert gets at least one line to say that
(often a second to say it's expired; sigh)


This seems unfortunate for a default-settings log. Since it's already
there it is probably too late to change for the upcoming 4.83 -
but should it move to under debug ( +tls )? A new logging option
( tls_detail )? Redefined existing logging option
( tls_certificate_verified )?

Thoughts?
--
Cheers,
Jeremy