Author: Cyborg Date: To: exim-users Subject: [exim] A study of failing tls certs, with valid certificate files
Hi all,
please take this text as it is, a study for a fail you could avoid, no
fingerpointing, no flaming, only suggestions what to look for/change in
your toolchains.
In early December 2022 the server in question switched his os release
and was restarted (exim including). In this upgrade, the following
switch was made:
Yesterday evening at around 22:25 CET ( +1 GMT ) openssl( via exim )
started to spit out these messages on incoming connections:
2023-01-08 22:25:18 TLS error on connection from
vmi395689.contaboserver.net [5.189.157.109] (SSL_accept):
error:0A000415:SSL routines::sslv3 alert certificate expired
This was caused by the EOT of the cert loaded at the last update
(2022-12-01) and exim not being restarted since.
This was happening for the first time since Let's Encrypted was formed (
we use it since then ), so for years by now.
ATM this exim is in use:
Name : exim
Version : 4.96
Release : 6.fc36
Architecture: x86_64
Install Date: Do 01 Dez 2022 08:01:27 CET
Build Date : Di 22 Nov 2022 15:25:30 CET
Name : openssl
Version : 3.0.5
Release : 2.fc36
Architecture: x86_64
Install Date: Mo 28 Nov 2022 20:41:00 CET
Build Date : Di 01 Nov 2022 17:26:57 CET
/etc/pki/tls/certs/exim.pem is the default location for Fedoras exim
package.
O== are there more systems?
Yes, there are, this is just the one, we detected it first. So it's not
a glitch.
O== Conclusion:
As I can't remember any downstream patches to Exim inside Fedora's
build, so something changed how exim or openssl3 is handling the
underlying certificate switch detection. As Exim had only a tiny minor
switch, OpenSSL3 is my personal candidate for this.
O== Suggestions:
In this combination exim needs to be restarted, when the server cert was
renewed, as the auto detection is not reliable working any more.
It may be a good idea to check for a new solution inside exim like auto
reloading the used cert every 24h's the server is running, if openssl3
is causing this "detection" bug.