Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification …

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
Subject: Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification broken
On 2021-07-18 15:47, Jeremy Harris wrote:
> On 18/07/2021 15:50, Andreas Metzler via Exim-users wrote:
>> I am attaching both server and client logs. (Timezones are different,
>> UTC vs. CEST).


> Looks like it was an EC connection. The server seems to have had a pair
> of cert files; one has "rsa" in the name so I'm guessing the other has
> an EC cert?


Hello Jeremy,

yes that is correct.

> What is in that file, and what would the full chain of certs from
> CA to leaf be? The client is using the "system" CA bundle,
> and saying "certificate issuer is unknown" - I'm wondering
> if the knowelege of a cert intermediate between CA and leaf
> is missing somewhere along the line.


I do not think so. Both exim 4.94.2 and gnutls-cli and s_client[1] are
happy with the cert setup. It is a straightforward Let's Encrypt chain.

0 s:CN = vsrv21575.customer.vlinux.de
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
As it is a public server where one can grab the certs with e.g.
gnutls-cli or s_client -showcerts I am not posting more detail for the sake
of brevity. I can setup a /dev/null mailbox for testing if you want me
to.

cu Andreas

[1]
gnutls-cli --starttls-proto smtp vsrv21575.customer.vlinux.de
openssl s_client -connect vsrv21575.customer.vlinux.de:25 -starttls smtp -verify_return_error