Re: [exim] [SOLVED] POODLE advisory from exim-announce

Top Page
Delete this message
Reply to this message
Author: elrippo
Date:  
To: exim-users
CC: Jeremy Harris
Subject: Re: [exim] [SOLVED] POODLE advisory from exim-announce
On Montag, 3. November 2014, 18:19:30 Jeremy Harris wrote:
> On 03/11/14 17:39, elrippo wrote:
> > I treid out to set the commands
> >
> > tls_require_ciphers = NORMAL:!VERS-SSL3.0
> > tls_advertise_hosts = *
> > hosts_require_tls = *
> >
> > in
> > /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost
> >
> > and
> > /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp
> >
> > after running update-exim4.conf it complains [main option "hosts_require_tls" unknown], ["tls_advertise_hosts" option set for the second time] and in
>
> There isn't a main option "tls_advertise_hosts", like the error says.
> The "tls_advertise_hosts" option is all you need there.
>
> >
> > /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp [option "tls_require_ciphers" unknown]
>
> This should have worked. Can you locate the put-together exim config
> file, and check that the relevant transport definition, with all its
> options, looks correct versus the documentation for your exim version
> (see http://exim.org/docs.html).
>
> Possibly the error message itself is wrong, and it should have been
> complaining that a transport option called "tls_advertise_hosts"
> does not exist.
>


Hy Jeremy,

this time i really found the "BUG" that causes this, i just do not know how to debug this properly, so please tell me how i can do this.

I regenerated a certificate and a key by running "/usr/share/doc/exim4-base/examples/exim-gencert --force"
After that everything was fine, and all connections were enctypted with TLS1.2 by using "tls_require_ciphers = SECURE128:!VERS-SSL3.0"
If i use my legitimate cacert.org certificate, exim complains with [could not negotiate tls_handshake]
If i use my 4096bit key which i use with the cacert.org certificate, then exim complains [(gnutls_handshake): Public key signature verification has failed.]

In my opinion this is a security risk, because my apache2, XMPP and FTP server use the exact same cacert.org certificate and the 4096bit RSA key without any troubles.

Kind regards,
elrippo