Re: [exim] Wildcard CN verify error

Top Page
Delete this message
Reply to this message
Author: Evgeniy Berdnikov
Date:  
To: exim-users
Subject: Re: [exim] Wildcard CN verify error
On Tue, Apr 18, 2023 at 05:03:47PM -0400, Lance Lovette via Exim-users wrote:
> It appears the cert does have a SAN entry. (34.160.13.42 is an IP for
> smtp.mailgun.org.)
>
>     $ openssl s_client -starttls smtp -connect 34.160.13.42:587 2>/dev/null
> | openssl x509 -noout -text

>
>         X509v3 Subject Alternative Name:
>             DNS:*.mailgun.org, DNS:mailgun.org

>
> I'm running Exim version 4.95 (in a Alpine Linux v3.16 container.)
>
> Here's a few surrounding log lines:
>
>     SSL_connect: SSLv3/TLS read server hello
>     SSL_connect: TLSv1.3 read encrypted extensions
>     SSL verify ok: depth=2 SN=/C=US/O=DigiCert Inc/OU=
> www.digicert.com/CN=DigiCert Global Root G2
>     SSL verify ok: depth=1 SN=/C=US/O=DigiCert Inc/CN=DigiCert Global G2
> TLS RSA SHA256 2020 CA1
>     LOG: MAIN
>       [34.160.13.42] SSL verify error: certificate name mismatch:
> DN="/C=US/ST=Texas/L=San Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.
> mailgun.org" H="smtp.mailgun.com"


The H="smtp.mailgun.com" shows that your host is expected cert for
"smtp.mailgun.com" (and would accept CN="*.mailgun.com"), but got
cert for "*.mailgun.org" / "mailgun.org". This is a name mismatch:
mailgun.org != mailgun.com.

But your configuration does not insist for strict match (should be if
host is in tls_try_verify_hosts, but not in tls_verify_hosts), so this
verification failure was ignored:

>     SSL verify name failure overridden (host in tls_try_verify_hosts)
>     SSL verify ok: depth=0 SN=/C=US/ST=Texas/L=San Antonio/O=MAILGUN
> TECHNOLOGIES, INC/CN=*.mailgun.org
>     SSL_connect: SSLv3/TLS read server certificate
>     SSL_connect: TLSv1.3 read server certificate verify

--
Eugene Berdnikov