Author: Andreas Metzler Date: To: exim-users Subject: Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification broken
On 2021-07-18 15:47, Jeremy Harris wrote: > On 18/07/2021 15:50, Andreas Metzler via Exim-users wrote:
>> I am attaching both server and client logs. (Timezones are different,
>> UTC vs. CEST). > Looks like it was an EC connection. The server seems to have had a pair
> of cert files; one has "rsa" in the name so I'm guessing the other has
> an EC cert?
Hello Jeremy,
yes that is correct.
> What is in that file, and what would the full chain of certs from
> CA to leaf be? The client is using the "system" CA bundle,
> and saying "certificate issuer is unknown" - I'm wondering
> if the knowelege of a cert intermediate between CA and leaf
> is missing somewhere along the line.
I do not think so. Both exim 4.94.2 and gnutls-cli and s_client[1] are
happy with the cert setup. It is a straightforward Let's Encrypt chain.
0 s:CN = vsrv21575.customer.vlinux.de
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
As it is a public server where one can grab the certs with e.g.
gnutls-cli or s_client -showcerts I am not posting more detail for the sake
of brevity. I can setup a /dev/null mailbox for testing if you want me
to.