Re: [exim] exim 4.84 : self signed cert issue with TLS

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Old-Topics: Re: [exim] exim 4.84 : self signed cert issue with TLS
Subject: Re: [exim] exim 4.84 : self signed cert issue with TLS
On Tue, Jul 19, 2016 at 10:23:18AM +0100, Jeremy Harris wrote:

> On 19/07/16 01:46, Hanasaki Jiji wrote:
> > recently upgraded to exim exim 4.84
> > getting errors : "A TLS fatal alert has been received.: CA is unknown"
>
> Errors from where/what? Under what test scenario?
>
> Background: something is insisting that a cert is verifiable, but
> does not have the CA for it. The CA for a selfsigned cert is
> the cert itself. You could deal with the requirement for
> verification, or you could ensure that the cert is treated as
> a trusted CA by adding it to your copies of these CAs.


One thing to keep in mind is that TLS alerts are always problems
on the remote side of an SSL connection, the peer is complaining
about something they don't like. In this case, the peer does not
like the certificate that was presented to it.

Whether this is a problem or not rather depends on what peer it is
and what they're doing and what fallback they may employ.

Often the misconfigured MTAs that insist on valid certs for
opportunistic TLS are spammers, and you can ignore the issue.

If the problem is some remote SMTP server does not like your client
certs, disable client certificates on the local end, they do more
harm than good.

-- 
    Viktor.