[exim] DANE vs unknown CA

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Heiko Schlittermann
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: [exim] DANE vs unknown CA
Hi,

this is especially for Victor. I'm out of ideas.


    openssl option, adding to     42004000: 00000000 (no_sslv2 +no_sslv3)
    openssl option, adding to     42004000: 02000000 (no_sslv3)
    setting SSL CTX options: 0x42004000
    Diffie-Hellman initialized from default with 2048-bit prime
    Initialized TLS
    Dane lib-init
    Dane ctx-init
    Setting TLS SNI "atvirtual.net"
    Dane ssl_init
    Dane add-tlsa: usage 3 sel 1 mdname "sha256"
    Calling SSL_connect
    SSL_connect: before SSL initialization
    SSL_connect: SSLv3/TLS write client hello
    SSL_connect: SSLv3/TLS write client hello
    SSL_connect: SSLv3/TLS read server hello
    Dane verify_cert
    verify_callback_client_dane: BAD depth 1 /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
     - err 20 'unable to get local issuer certificate'
    SSL3 alert write:fatal:unknown CA
    SSL_connect: error in error
    Dane lib-cleanup
    TLS error '(SSL_connect): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed'
    TLS session fail: (SSL_connect): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
    LOG: MAIN
      DANE attempt failed; TLS connection to serv02.atvirtual.eu [185.206.180.72]: (SSL_connect): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
    LOG: MAIN
      == <zensored>@atvirtual.net R=dnslookup T=remote_smtp defer (-37) H=serv02.atvirtual.eu [185.206.180.72]:25 DT=20s: TLS session: (SSL_connect): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
    fresh-exec forking for logfile-open
    fresh-exec forked for logfile-open: 13215
    postfork: logfile-open



The Exim 4.94.2 producing this uses openssl 1.1.1j
With older Exim 4.92.3 it works (openssl 1.1.0i)

Any idea? For what I understand about DANE, it shouldn't care about the
CA cert, should it? (The TLSA record uses 3 1 1)

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -