Re: [exim] A study of failing tls certs, with valid certifi…

Pàgina inicial
Delete this message
Reply to this message
Autor: Andreas Metzler
Data:  
A: exim-users
Assumpte: Re: [exim] A study of failing tls certs, with valid certificate files
On 2023-01-09 Cyborg via Exim-users <exim-users@???> wrote:
> please take this text as it is, a study for a fail you could avoid, no
> fingerpointing, no flaming, only suggestions what to look for/change in your
> toolchains.


> In early December 2022 the server in question switched his os release and
> was restarted (exim including). In this upgrade, the following switch was
> made:


> FROM:


> 2022-11-28T20:46:24+0100 SUBDEBUG Upgraded: exim-4.96-5.fc35.x86_64
> 2022-11-28T20:46:32+0100 SUBDEBUG Upgraded: *openssl-1:*1.1.1q-1.fc35.x86_64

[...]
> As I can't remember any downstream patches to Exim inside Fedora's build, so
> something changed how exim or openssl3  is handling the underlying
> certificate switch detection. As Exim had only a tiny minor switch, OpenSSL3
> is my personal candidate for this.

[...]

The major change in recentish time was in 4.95 
11. Faster TLS startup.  When various configuration options contain no
    expandable elements, the information can be preloaded and cached rather
    than the provious behaviour of always loading at startup time for every
    connection.  This helps particularly for the CA bundle.


I have also switch to restarting instead of HUP-ing my exim after cert
updates at some point because the old cert still showed up.

cu Andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'