[exim] Can't read SSL key/cert, how to debug?

Top Page
Delete this message
Reply to this message
Author: Yves Goergen
Date:  
To: exim
Subject: [exim] Can't read SSL key/cert, how to debug?
During my tests today, I noticed that Exim doesn't support SSL SMTP
connections anymore. It used to work at some point, but now it doesn't.
When trying to connect with Thunderbird, I get the following line in
exim's main log:

> TLS error on connection from ... (gnutls_handshake): Could not negotiate a supported cipher suite.


No matter whether I use STARTTLS on port 25 or implicit SSL on port 465.
I made a test to show me the SSL certificate using this command:

> openssl s_client -connect localhost:465


And here's what it said:

> CONNECTED(00000003)
> 139894382376608:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---


When I do this with Apache on port 443 (https), I see the SSL
certificate. Both programs use the same cert/key file. So I guess Exim
either can't read the SSL file anymore or doesn't understand it. But the
main log doesn't complain when restarting the server and this is the
only line when trying to connect.

What can be the cause of the problem and how could I resolve it?

Exim 4.82 on Ubuntu 14.04.

--
Yves Goergen
http://unclassified.de
http://dev.unclassified.de