Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification …

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification broken
On Sun, Jul 18, 2021 at 06:29:41PM +0200, Andreas Metzler via Exim-users wrote:

> I do not think so. Both exim 4.94.2 and gnutls-cli and s_client[1] are
> happy with the cert setup. It is a straightforward Let's Encrypt chain.
>
>  0 s:CN = vsrv21575.customer.vlinux.de
>    i:C = US, O = Let's Encrypt, CN = R3
>  1 s:C = US, O = Let's Encrypt, CN = R3
>    i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
>  2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3


The self-signature on the DST Root CA X3 is SHA-1, any chance the new
Exim discriminates against SHA-1 self-signed roots? This root CA
expires on 2021-09-30...

FWIW, OpenSSL will typically ignore the depth 2 certificate by finding
the "ISRG X1" root in the local trust store. I don't know what GnuTLS
does, or whether the ISRG Root is installed in the GnuTLS trust store
on your system.

-- 
    Viktor.