Re: [exim] SSL wildcard certificate intermediate CA weirdnes…

Top Page

Reply to this message
Author: Christian Balzer
Date:  
To: Exim-users
Subject: Re: [exim] SSL wildcard certificate intermediate CA weirdness
On Fri, 20 Dec 2019 07:47:42 +0100 Heiko Schlittermann via Exim-users
wrote:

> Christian Balzer via Exim-users <exim-users@???> (Fr 20 Dez 2019 01:15:18 CET):
> >
> > Kinda implied by the VIP, pacemaker bits. :)
> >
> > The testmail.do.main VIP is handled by smtp01 and 02, with being resident
> > on smtp01 for most of the testing, but failing it over doesn't change the
> > outcome.
>
> If connections to the indiviual servers work as expected but connectin
> to them via the loadbalancer fail, I'd check the loadbalancer first, not
> Exim.
>
> Does your loadbalancer intercept the SSL connection?
>

Please re-read the thread, there is no loadbalancer involved in this test
setup, just a (not so much) floating Virtual IP managed by pacemaker.

And in production the loadbalancer would be LVS, which is very much
agnostic of anything above L3.

There is no device or local software on the server that would or could
intercept traffic between the test servers and testing sources.

But as stated in the previous reply to Jeremy, this looks like a gnutls
issue most likely.

Christian

> If the immediate answer is "no", then the next question already: How can
> you tell?
>
> Can you replace Exim for testing purpose by an openssl s_server?
> (Important: On the same port as Exim would serve).
>
>     Best regards from Dresden/Germany
>     Viele Grüße aus Dresden
>     Heiko Schlittermann
> --
>  SCHLITTERMANN.de ---------------------------- internet & unix support -
>  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
>  gnupg encrypted messages are welcome --------------- key ID: F69376CE -
>  ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -



-- 
Christian Balzer        Network/Systems Engineer                
chibi@???       Rakuten Mobile Inc.