On 2023-01-09 Cyborg via Exim-users <exim-users@???> wrote:
> please take this text as it is, a study for a fail you could avoid, no
> fingerpointing, no flaming, only suggestions what to look for/change in your
> toolchains.
> In early December 2022 the server in question switched his os release and
> was restarted (exim including). In this upgrade, the following switch was
> made:
> FROM:
> 2022-11-28T20:46:24+0100 SUBDEBUG Upgraded: exim-4.96-5.fc35.x86_64
> 2022-11-28T20:46:32+0100 SUBDEBUG Upgraded: *openssl-1:*1.1.1q-1.fc35.x86_64
[...]
> As I can't remember any downstream patches to Exim inside Fedora's build, so
> something changed how exim or openssl3 is handling the underlying
> certificate switch detection. As Exim had only a tiny minor switch, OpenSSL3
> is my personal candidate for this.
[...]
The major change in recentish time was in 4.95
11. Faster TLS startup. When various configuration options contain no
expandable elements, the information can be preloaded and cached rather
than the provious behaviour of always loading at startup time for every
connection. This helps particularly for the CA bundle.
I have also switch to restarting instead of HUP-ing my exim after cert
updates at some point because the old cert still showed up.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
