On Fri, 20 Dec 2019 15:01:16 +0100 Heiko Schlittermann wrote:
> Christian Balzer <chibi@???> (Fr 20 Dez 2019 14:49:27 CET):
> > > > The testmail.do.main VIP is handled by smtp01 and 02, with being resident
> > > > on smtp01 for most of the testing, but failing it over doesn't change the
> > > > outcome.
> > >
> > > If connections to the indiviual servers work as expected but connectin
> > > to them via the loadbalancer fail, I'd check the loadbalancer first, not
> > > Exim.
> > >
> > > Does your loadbalancer intercept the SSL connection?
> > >
> > Please re-read the thread, there is no loadbalancer involved in this test
> > setup, just a (not so much) floating Virtual IP managed by pacemaker.
>
> Ok. From "individual IPs" and the rest of the context I assume a
> loadbalancer setup. (Yes, I know, assumption are the mother of …)
>
> I do not see why GnuTLS should behave dependend on the IP you're
> connecting to. I'd retest this with openssl s_server, or, since there is
> not device in between, with gnutls-serv of the same version as the
> libraries, Exim uses.
>
I've tried this with "openssl s_server" and it works either which way,
unsurprisingly.
"openssl s_server -cert wildcard.crt -key wildcard.key -CAfile ca.crt"
I can't get gnutls_server to use/send the CA intermediate at all, only the
server cert is sent with:
"gnutls-serv --x509keyfile=wildcard.key --x509certfile=wildcard.crt
--x509cafile=ca.crt"
> And I remember some issues with the order of the certs in the cert file.
>
While that sounds vaguely familiar, I don't think it could/should affect
things.
Regards,
Christian
--
Christian Balzer Network/Systems Engineer
chibi@??? Rakuten Mobile Inc.
