Re: [exim] A study of failing tls certs, with valid certifi…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Jeremy Harris
Ημερομηνία:  
Προς: exim-users
Καινούρια Θέματα: Re: [exim] A study of failing tls certs, with valid certificate files
Αντικείμενο: Re: [exim] A study of failing tls certs, with valid certificate files
On 09/01/2023 17:39, Andreas Metzler via Exim-users wrote:
> On 2023-01-09 Cyborg via Exim-users <exim-users@???> wrote:
>> please take this text as it is, a study for a fail you could avoid, no
>> fingerpointing, no flaming, only suggestions what to look for/change in your
>> toolchains.
>
>> In early December 2022 the server in question switched his os release and
>> was restarted (exim including). In this upgrade, the following switch was
>> made:
>
>> FROM:
>
>> 2022-11-28T20:46:24+0100 SUBDEBUG Upgraded: exim-4.96-5.fc35.x86_64
>> 2022-11-28T20:46:32+0100 SUBDEBUG Upgraded: *openssl-1:*1.1.1q-1.fc35.x86_64
> [...]
>> As I can't remember any downstream patches to Exim inside Fedora's build, so
>> something changed how exim or openssl3  is handling the underlying
>> certificate switch detection. As Exim had only a tiny minor switch, OpenSSL3
>> is my personal candidate for this.
> [...]
>
> The major change in recentish time was in 4.95
> 11. Faster TLS startup.  When various configuration options contain no
>      expandable elements, the information can be preloaded and cached rather
>      than the provious behaviour of always loading at startup time for every
>      connection.  This helps particularly for the CA bundle.

>
> I have also switch to restarting instead of HUP-ing my exim after cert
> updates at some point because the old cert still showed up.


Interesting. Is/are you cert(s) behind a symlink, from the place
baked into the TLS library (which is what Exim monitors)?

If so, you should pick up commits ef57b25bfa76, a1ec98dd9637
"Symlink following for TLS creds files"
These are post-4.96 so have not hit a release yet.
--
Cheers,
Jeremy