On Samstag, 1. November 2014, 11:31:52 Jeremy Harris wrote:
> On 01/11/14 10:11, elrippo wrote:
> > tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0
> >
> >
> >
> > I sent a mail using my desktop client and my domain to google. Incomming exim4 used SSL outgoing TLS?!?!
> >
> > 2014-11-01 10:07:45 1XkUee-0001XI-6c <= user@??? H=([10.0.0.7]) [95.85.37.181] P=esmtpsa X=SSL3.0:DHE_RSA_AES_256_CBC_SHA1:256 A=plain_saslauthd_server:user S=9737 id=F404320C-274F-4491-8ED2-6133D5A62759@???
>
> You told it to use sslv3 and it used sslv3.
> I'm not quite sure why you find this surprising.
>
Yes, because the TLS verification process fails guys!
I found the "BUG"!!!!
I have a legitimate cacert.org certificate that ends in 2016. (My apache2 and courier imap server accept these without any error)
So, as usual, exim is pointed to the certificate and the servers private.key instead of the self generated keys from "sudo /usr/share/doc/exim4-base/examples/exim-gencert"
My exim4.72 on Ubuntu 12.04LTS used the cacert.org certificates without any problems.
After my Upgrade from Ubuntu12.04 to 14.04 the tls_hand_shake and _tls_cipher_negotiate erros started.
Now fasten your seat belts
If i use the cacert.org certificate tls_handshake_errors are displayed in the logs.
If i use the selfsigned certificates from "sudo /usr/share/doc/exim4-base/examples/exim-gencert" there are no errors displayed in the logs.
So, what to do on debian based systems for validation of the cacert.org certificates.
Import the cacert.org root certificates.
How?
Like this.
1.) Go to
https://www.cacert.org/index.php?id=3 and get the class1 and class3 root certificates in *.crt format and save them on your desktop.
2.) Open the root.crt and copy paste the certificate on your server in to "/usr/share/ca-certificates/extras/cacert.crt"
3.) Open the class3.crt and copy paste the certificate on your server in to "/usr/share/ca-certificates/extras/cacert1.crt"
4.) Import the certificates with "sudo dpkg-reconfigure ca-certificates"
5.) Choose "YES"
6.) Pick the two certificates with your cursor and space
7.) Now copy your server.crt and the private.key to /etc/exim4/exim.crt and /etc/exim4/exim.key
8.) Now you can use "tls_require_ciphers = NORMAL:!VERS-SSL3.0" or whatever you prefer.
9.) Run "sudo update-exim4.con" and "sudo service exim4 restart"
10.) Seend a test mail and you will see, that your exim4 server is connecting with TLS!
Took me a while to find this one :-)
Kind regards,
elrippo
