Re: [exim] A study of failing tls certs, with valid certifi…

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
Old-Topics: Re: [exim] A study of failing tls certs, with valid certificate files
Subject: Re: [exim] A study of failing tls certs, with valid certificate files
On 2023-01-09 Jeremy Harris via Exim-users <exim-users@???> wrote:
> On 09/01/2023 17:39, Andreas Metzler via Exim-users wrote:

[...]
>>> something changed how exim or openssl3  is handling the underlying
>>> certificate switch detection. As Exim had only a tiny minor switch, OpenSSL3
>>> is my personal candidate for this.
>> [...]


>> The major change in recentish time was in 4.95
>> 11. Faster TLS startup.  When various configuration options contain no
>>      expandable elements, the information can be preloaded and cached rather
>>      than the provious behaviour of always loading at startup time for every
>>      connection.  This helps particularly for the CA bundle.

>>
>> I have also switch to restarting instead of HUP-ing my exim after cert
>> updates at some point because the old cert still showed up.


> Interesting. Is/are you cert(s) behind a symlink, from the place
> baked into the TLS library (which is what Exim monitors)?


> If so, you should pick up commits ef57b25bfa76, a1ec98dd9637
> "Symlink following for TLS creds files"
> These are post-4.96 so have not hit a release yet.


Hello Jeremy,

I have had this on my TODO, waiting for the next letsencrypt cert
update. I dropped the
"service exim4 stop ; sleep .2 ; service exim4 start"
from my post update script and checked whether exim now automatically
saw the new certs. It did. :-)

I am not symlinking my certs and since this was on Debian's 4.96-14~bpo11+1
neither of the two symlink-cert fixes are included. (I will consider
cherry-picking them anyway.) So it looks like something else was broken
at some point in time and is fixed again.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'