Re: [exim] Wildcard CN verify error

Top Page
Delete this message
Reply to this message
Author: Lance Lovette
Date:  
To: exim-users
Subject: Re: [exim] Wildcard CN verify error
It appears the cert does have a SAN entry. (34.160.13.42 is an IP for
smtp.mailgun.org.)

    $ openssl s_client -starttls smtp -connect 34.160.13.42:587 2>/dev/null

| openssl x509 -noout -text


        X509v3 Subject Alternative Name:
            DNS:*.mailgun.org, DNS:mailgun.org


I'm running Exim version 4.95 (in a Alpine Linux v3.16 container.)

Here's a few surrounding log lines:

    SSL_connect: SSLv3/TLS read server hello
    SSL_connect: TLSv1.3 read encrypted extensions
    SSL verify ok: depth=2 SN=/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert Global Root G2
    SSL verify ok: depth=1 SN=/C=US/O=DigiCert Inc/CN=DigiCert Global G2
TLS RSA SHA256 2020 CA1
    LOG: MAIN
      [34.160.13.42] SSL verify error: certificate name mismatch:
DN="/C=US/ST=Texas/L=San Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.
mailgun.org" H="smtp.mailgun.com"
    SSL verify name failure overridden (host in tls_try_verify_hosts)
    SSL verify ok: depth=0 SN=/C=US/ST=Texas/L=San Antonio/O=MAILGUN
TECHNOLOGIES, INC/CN=*.mailgun.org
    SSL_connect: SSLv3/TLS read server certificate
    SSL_connect: TLSv1.3 read server certificate verify


I have a layman's understanding of SSL certs so apologies for any naivety :)

Thanks!
Lance