Viktor wrote:
>> 2022-11-21 21:10:42 TLS error on connection from r218.notifications.rbs.co.uk [130.248.154.218] (gnutls_handshake): A TLS fatal alert has been received.
>
>OpenSSL would usually log the alert number (and associated text string),
>from which one could infer more information about what the remote client
>is unhappy about. I'd hope that GnuTLS could also log this (or make the
>alert info available to Exim to optionally log).
Hopefully if I set it correctly, per Jeremy's reply below, it will.
>That said, the most common issues that remote clients are unhappy about
>are untrusted certificates and expired certificates. Perhaps you have a
>Let's Encrypt certificate chain that includes a cross cert to the now
>expired DST Root CA (for Android compatibility). You can configure
>certbot et. al. to build a chain that skips the cross cert, expecting
>clients to support the ISRG root. >If the server in question is "london.jcbradfield.org", then another
>potential issue is a missing intermediate issuer certificate. Your
>certificate chain has only the leaf server certificate without the
>required "R3" intermediate issuer certificate. If using certbot, use
>"fullchain.pem" not "cert.pem" (or the equivalent for a different
>setup).
Indeed. That's only been the case recently. For the last 20 years,
I've been presenting a self-signed certificate and had never noticed any
problems. A few days ago I happened to notice my bank getting these
TLS fatal alerts and then *not* falling through to plain text, which
most others do.
So I started experimenting, but hadn't yet got as far as giving the
full chain (largely, I admit, because I don't have certification
internalized, and just follow recipes).
Jeremy wrote: >The gnutls library helpfully (I infer) reads the environment at
>process startup, too early for the config-driven addition of that
>variable. Try having the thing firing off the exim process
>adding to the environment instead. You'll need to add it
>to keep_environment.
Thanks! Should have thought of that.
>Alternatively, since you know there's an alert involved, go down
>the packet capture route. You'll need to
>add_environment = SSLKEYLOGFILE=<SOME_DIRECTORY>/sslkeys
>and tell wireshark where to pick them up
>(edit/pref/protocols/tls/ Master Secret Log filename)
Ugh. Hopefully not... Presumably that would also have to be done by
setting it before exim start.
>Oh, yes, do ensure you're running with Exim's debug facilities
>enabled. Commandline option or ACL modifier.
Tried that. Debug +tls gave nothing useful.
Kirill wrote:
something in base64 which got saved as such:) (Anybody know a
newsreader which supports following up to multiple article at once?)
Asking I think for any information, as he sees something similar. Will
do.