Re: [exim] debugging tls handshake failure

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: exim-users
Betreff: Re: [exim] debugging tls handshake failure
On Mon, Nov 21, 2022 at 09:41:12PM +0000, Julian Bradfield via Exim-users wrote:

> I should like to know what's happening here:
>
> 2022-11-21 21:10:42 TLS error on connection from r218.notifications.rbs.co.uk [130.248.154.218] (gnutls_handshake): A TLS fatal alert has been received.


OpenSSL would usually log the alert number (and associated text string),
from which one could infer more information about what the remote client
is unhappy about. I'd hope that GnuTLS could also log this (or make the
alert info available to Exim to optionally log).

That said, the most common issues that remote clients are unhappy about
are untrusted certificates and expired certificates. Perhaps you have a
Let's Encrypt certificate chain that includes a cross cert to the now
expired DST Root CA (for Android compatibility). You can configure
certbot et. al. to build a chain that skips the cross cert, expecting
clients to support the ISRG root.

    https://www.mail-archive.com/postfix-users@postfix.org/msg94314.html


-- 
    Viktor.