On Tue, Apr 18, 2023 at 05:03:47PM -0400, Lance Lovette via Exim-users wrote:
> It appears the cert does have a SAN entry. (34.160.13.42 is an IP for
> smtp.mailgun.org.)
>
> $ openssl s_client -starttls smtp -connect 34.160.13.42:587 2>/dev/null
> | openssl x509 -noout -text
>
> X509v3 Subject Alternative Name:
> DNS:*.mailgun.org, DNS:mailgun.org
>
> I'm running Exim version 4.95 (in a Alpine Linux v3.16 container.)
>
> Here's a few surrounding log lines:
>
> SSL_connect: SSLv3/TLS read server hello
> SSL_connect: TLSv1.3 read encrypted extensions
> SSL verify ok: depth=2 SN=/C=US/O=DigiCert Inc/OU=
> www.digicert.com/CN=DigiCert Global Root G2
> SSL verify ok: depth=1 SN=/C=US/O=DigiCert Inc/CN=DigiCert Global G2
> TLS RSA SHA256 2020 CA1
> LOG: MAIN
> [34.160.13.42] SSL verify error: certificate name mismatch:
> DN="/C=US/ST=Texas/L=San Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.
> mailgun.org" H="smtp.mailgun.com"
The H="smtp.mailgun.com" shows that your host is expected cert for
"smtp.mailgun.com" (and would accept CN="*.mailgun.com"), but got
cert for "*.mailgun.org" / "mailgun.org". This is a name mismatch:
mailgun.org != mailgun.com.
But your configuration does not insist for strict match (should be if
host is in tls_try_verify_hosts, but not in tls_verify_hosts), so this
verification failure was ignored:
> SSL verify name failure overridden (host in tls_try_verify_hosts)
> SSL verify ok: depth=0 SN=/C=US/ST=Texas/L=San Antonio/O=MAILGUN
> TECHNOLOGIES, INC/CN=*.mailgun.org
> SSL_connect: SSLv3/TLS read server certificate
> SSL_connect: TLSv1.3 read server certificate verify
--
Eugene Berdnikov
