[exim] 4.95 RC0 - gnutls outgoing TLS cert verification brok…

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
Subject: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification broken
Hello,

there seems to be some breakage in 4.95 RC0 with outgoing TLS, it fails
to verify the peer certificate:

--------------------
initialising GnuTLS as a client on fd 7
GnuTLS global init required
initialising GnuTLS client session
Expanding various TLS configuration options for session credentials
TLS: basic cred init, client
TLS: no client certificate specified; okay
TLS: tls_verify_certificates not set or empty, ignoring
GnuTLS using default session cipher/priority "NORMAL"
Setting D-H prime minimum acceptable bits to 1024
31.15.64.248 in tls_verify_hosts? yes (matched "*")
31.15.64.248 in tls_verify_cert_hostnames? yes (matched "*")
TLS: server cert verification includes hostname: "vsrv21575.customer.vlinux.de"
TLS: server certificate verification required
TLS: will request OCSP stapling
31.15.64.248 in tls_resumption_hosts? no (option unset)
about to gnutls_handshake
search_tidyup called
SMTP>>(close on process exit)
>>>>>>>>>>>>>>>> Exim pid=128174 (daemon-accept) terminating with rc=0 >>>>>>>>>>>>>>>>

child 128174 ended: status=0x0
normal exit, 0
0 SMTP accept processes now running
Listening...
(TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM)
To get keying info for TLS1.3 is hard:
Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory,
and make sure it is writable by the Exim runtime user.
Add SSLKEYLOGFILE to keep_environment in the exim config.
Start Exim as root.
If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers
(works for TLS1.2 also, and saves cut-paste into file).
Trying to use add_environment for this will not work
TLS: checking peer certificate
The certificate is NOT trusted. The certificate issuer is unknown.
TLS certificate verification failed (certificate invalid): peerdn="CN=vsrv21575.customer.vlinux.de"
TLS session fail: (certificate verification failed): certificate invalid
--------------------

For reference with 4.94.2 (+fixes) successful debug output looks like this:
--------------------
initialising GnuTLS as a client on fd 7
GnuTLS global init required.
initialising GnuTLS client session
Expanding various TLS configuration options for session credentials.
TLS: no client certificate specified; okay
Added 127 certificate authorities.
GnuTLS using default session cipher/priority "NORMAL"
Setting D-H prime minimum acceptable bits to 1024
31.15.64.248 in tls_verify_hosts? yes (matched "*")
31.15.64.248 in tls_verify_cert_hostnames? yes (matched "*")
TLS: server cert verification includes hostname: "vsrv21575.customer.vlinux.de".
TLS: server certificate verification required.
TLS: will request OCSP stapling
about to gnutls_handshake
(TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM)
To get keying info for TLS1.3 is hard:
Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory,
and make sure it is writable by the Exim runtime user.
Add SSLKEYLOGFILE to keep_environment in the exim config.
Start Exim as root.
If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers
(works for TLS1.2 also, and saves cut-paste into file).
Trying to use add_environment for this will not work
TLS: checking peer certificate
TLS certificate verified: peerdn="CN=vsrv21575.customer.vlinux.de"
cipher: TLS1.3:ECDHE_SECP256R1__ECDSA_SECP384R1_SHA384__AES_256_GCM:256
Have channel bindings cached for possible auth usage
--------------------

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'