[exim] TLS "certificate expired" warnings on inbound connect…

Góra strony
Delete this message
Reply to this message
Autor: Tim Jackson
Data:  
Dla: exim-users
Temat: [exim] TLS "certificate expired" warnings on inbound connections
I have some legitimate-looking hosts from a major bank producing log lines
like this when attempting incoming connections to a public MX:

TLS error on connection from r209.notifications.natwest.com
[130.248.154.209]:44104 I=[167.235.252.255]:25 (SSL_accept):
error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

Is this me (server) dropping the connection or them? (From the log, it reads a
bit like me, but I'm definitely not trying to do any client certificate
verification so it's unclear which certificate is "expired"). I'm far from an
expert on TLS, but I believe I have a sane certificate chain (up to date from
Let's Encrypt via acme-tiny; neither the cert nor the CA certs are expired).
Other hosts successfully send mail via TLS all the time; it's only this
specific group of hosts (*.notifications.natwest.com) where I'm seeing the issue.

Is this likely an instance of the Let's Encrypt issue [1][2], where the client
is using an old/buggy SSL implementation?

I can exclude these hosts via tls_advertise_hosts to (presumably) "solve" the
issue, but it would be interesting to know if

- I could/should do anything different (e.g. Workaround 3 from [1], i.e.
request a different CA chain?), or
- just put it down to a broken client.

(I've been using this configuration for quite a while and don't recall ever
seeing this issue before).

Environment: Exim 4.94.2 / Linux / OpenSSL 1.1.1k

# exim -bP tls_try_verify_hosts
tls_try_verify_hosts =
# exim -bP tls_verify_hosts
tls_verify_hosts =

# openssl s_client -starttls smtp mx1.firecluster.net:25
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mx1.firecluster.net
verify return:1
---
Certificate chain
  0 s:CN = mx1.firecluster.net
    i:C = US, O = Let's Encrypt, CN = R3
  1 s:C = US, O = Let's Encrypt, CN = R3
    i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
  2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
    i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
subject=CN = mx1.firecluster.net


issuer=C = US, O = Let's Encrypt, CN = R3




Tim

[1] https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
[2] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/