Author: Tim Jackson Date: To: exim-users Subject: Re: [exim] TLS "certificate expired" warnings on inbound connections
On 31/05/2022 20:53, Heiko Schlittermann via Exim-users wrote:
>> TLS error on connection from r209.notifications.natwest.com
>> [130.248.154.209]:44104 I=[167.235.252.255]:25 (SSL_accept):
>> error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
>
> Is there any chance that the client tries to present you a certificate,
> even if you do not request it?
Well, anything is possible I suppose. It's a good question; I did wonder if it
was a client certificate issue, but I assumed Exim wouldn't complain if a
client certificate (even expired) is presented when not requested. (Hence why
I started looking at the server certificate). Would we consider that an Exim
bug if so?
> I'm a bit suprised that Exim drops the connection (doesn't it?) seeing
> the expired certificate, but this isn't very unlikely. I'd you a packet
> capture to check the certificates from both sides.
Good idea - I'll see if I can capture next time they retry.
