Re: [exim] Can't read SSL key/cert, how to debug?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Yves Goergen
Date:  
À: Evgeniy Berdnikov, exim-users
Sujet: Re: [exim] Can't read SSL key/cert, how to debug?
Am 22.12.2014 um 12:48 schrieb Evgeniy Berdnikov:
> OK. Exim is built with Gnutls, and you are trying to connect with OpenSSL,
> without success in cipher negotiation, let's try to use gnutls-cli first.
> Install gnutls-bin package for Ubuntu, then run
>
> % gnutls-cli -p 465 localhost --no-ca-verification --crlf -d4
>
> and post the output here.


I did this (stripped all invalid options):
gnutls-cli -p 465 localhost --crlf

With the SHA-512 certificate:
> Resolving 'localhost'...
> Connecting to '127.0.0.1:465'...
> *** Fatal error: A TLS packet with unexpected length was received.
> *** Handshake has failed
> GnuTLS error: A TLS packet with unexpected length was received.


With the new SHA-256 certificate:
> Resolving 'localhost'...
> Connecting to '127.0.0.1:465'...
> - Ephemeral Diffie-Hellman parameters
> - Using prime: 2048 bits
> - Secret key: 2047 bits
> - Peer's public key: 2047 bits
> - Certificate type: X.509
> - Got a certificate list of 1 certificates.
> - Certificate[0] info:
> - subject `C=DE,ST=-,L=-,O=-,OU=-,CN=xxxx.de,EMAIL=-', issuer `C=DE,ST=-,L=-,O=-,OU=-,CN=xxxx.de,EMAIL=-', RSA key 4096 bits, signed using RSA-SHA256, activated `2014-12-22 11:24:00 UTC', expires `2015-12-22 11:24:00 UTC', SHA-1 fingerprint `7ce35cd046c6937b5e19f8a021c5adef5b886e9b'
> - The hostname in the certificate does NOT match 'localhost'


So it's basically the same result I guess.

One more info, if it's helpful:

> $ gnutls-cli --version
> gnutls-cli (GnuTLS) 2.12.23
> Packaged by Debian (2.12.23-12ubuntu2.1)
> Copyright (C) 2012 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by Nikos Mavrogiannopoulos.


--
Yves Goergen
http://unclassified.de
http://dev.unclassified.de