Re: [exim] debugging tls handshake failure

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] debugging tls handshake failure
On Wed, Nov 23, 2022 at 06:25:29PM +0000, Julian Bradfield via Exim-users wrote:

> >If the server in question is "london.jcbradfield.org", then another
> >potential issue is a missing intermediate issuer certificate. Your
> >certificate chain has only the leaf server certificate without the
> >required "R3" intermediate issuer certificate. If using certbot, use
> >"fullchain.pem" not "cert.pem" (or the equivalent for a different
> >setup).
>
> Indeed. That's only been the case recently. For the last 20 years,
> I've been presenting a self-signed certificate and had never noticed
> any problems. A few days ago I happened to notice my bank getting
> these TLS fatal alerts and then *not* falling through to plain text,
> which most others do. So I started experimenting, but hadn't yet got
> as far as giving the full chain (largely, I admit, because I don't
> have certification internalized, and just follow recipes).


So, have you tried configuring a complete certificate chain (ideally
without the Android compatibility crutch). Did that make any
difference?

If you disable TLS 1.3, the alerts will be unencrypted in a packet
capture, which you could then decode with "tshark" or wireshark without
needing to resort to TLS key export.

-- 
    Viktor.