Re: [exim] Before update exim to 4.90, TLS/SSL connection no…

Top Page
Delete this message
Reply to this message
Author: Torsten Tributh
Date:  
To: exim-users
Subject: Re: [exim] Before update exim to 4.90, TLS/SSL connection not work
How have you created your certificate?
If you use md5 or sha1(as signing algorithm) this will fail with the
recent Thunderbird
Try to use sha256
...and how many bits have you used?
For an RSA Certificate you should use 2048 bit and for an ECDSA
certificate a minimum of 256 bit.

It just looks for me like the actual needed requirements for a
certificate are not given and thunderbird drops the connection, which
gives an
"(SSL_accept): error:00000000:lib(0):func(0):reason(0)"
entry in the exim log.
Exim just recognize that the TLS connection got failed from the
requestor and can not provide any further information.


With an
openssl x509 -noout -text -in /opt/exim/ssl/exim.crt | grep 'Signature
Algorithm'
you should see (if you made an RSA certificate):
Signature Algorithm: sha256WithRSAEncryption

Or send an output from
openssl s_client -connect yourserver.example.com:465
than we have the details to guide you further

Cheers Torsten



On 2/22/18 7:08 PM, Emanuel Gonzalez via Exim-users wrote:
> Hello, thanks for your reply.
>
> /opt/exim/bin/exim -d -bV
> Exim version 4.90_1 #96 built 22-Feb-2018 14:19:18
> Copyright (c) University of Cambridge, 1995 - 2017
> (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
> Berkeley DB: Berkeley DB 5.3.21: (May 11, 2012)
> Support for: crypteq iconv() Perl OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open
> Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz dbmnz dnsdb
> Authenticators: plaintext tls
> Routers: accept dnslookup ipliteral manualroute queryprogram redirect
> Transports: appendfile/maildir autoreply pipe smtp
> Fixed never_users: 0
> Configure owner: 502:0
> Size of off_t: 8
> Compiler: GCC [4.8.5 20150623 (Red Hat 4.8.5-16)]
> Library version: Glibc: Compile: 2.17
>                         Runtime: 2.17
> Library version: OpenSSL: Compile: OpenSSL 1.0.2k-fips  26 Jan 2017
>                           Runtime: OpenSSL 1.0.2k-fips  26 Jan 2017
>                                  : built on: reproducible build, date unspecified
> Library version: PCRE: Compile: 8.32
>                        Runtime: 8.32 2012-11-30
> WHITELIST_D_MACROS unset
> TRUSTED_CONFIG_LIST unset
> Exim version 4.90_1 uid=0 gid=0 pid=15348 D=fbb95cfd
> changed uid/gid: forcing real = effective
>   uid=0 gid=0 pid=15348
>   auxiliary group list: <none>
> changed uid/gid: calling tls_validate_require_cipher
>   uid=502 gid=502 pid=15349
>   auxiliary group list: <none>
> tls_validate_require_cipher child 15349 ended: status=0x0
> openssl option, adding from 1104000: 1000000 (no_sslv2 +no_sslv3)
> openssl option, adding from 1104000: 2000000 (no_sslv3)
> configuration file is /etc/exim/configure
> log selectors = 00000ffc 0c640402
> Starting Perl interpreter
> cwd=/root 3 args: /opt/exim/bin/exim -d -bV
> trusted user
> admin user
> changed uid/gid: privilege not needed
>   uid=502 gid=502 pid=15348
>   auxiliary group list: 502
> seeking password data for user "exim": cache not available
> getpwnam() succeeded uid=502 gid=502
> seeking password data for user "mailman": cache not available
> getpwnam() succeeded uid=1002 gid=1002
> originator: uid=0 gid=0 login=root name=root
> sender address = root@???
> Configuration file is /etc/exim/configure

>
> ### exim configure
>
> openssl_options = +no_sslv2 +no_sslv3
> MAIN_TLS_ENABLE = yes
>
> tls_on_connect_ports = 465
>
> tls_certificate = /opt/exim/ssl/exim.crt
> tls_privatekey = /opt/exim/ssl/exim.key
> tls_advertise_hosts = *
>
>
> ###
>
>
> I not modify any config, but thunderbird not acept the certificates.
>
>
> I do not remember how openssl was configured but in the MakeFile file indicate the service installation path.
>
>
> Regards,
>


--
Torsten