[exim] exim spitting out "bad certificate" log lines

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Cyborg
Dátum:  
Címzett: Matt Corallo via Exim-users
Tárgy: [exim] exim spitting out "bad certificate" log lines
openssl 3.0.9
Exim 4.96

Good Morning,

a "sort of" post mortem for you:

O== What happened?

Since 08:15 CEST Exim is spitting out these errors:

2023-07-13 08:15:41 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:15:53 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:01 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:07 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:20 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:33 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:44 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:44 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:44 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:45 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:45 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:45 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:45 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:45 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:45 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:46 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:46 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:46 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:46 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:46 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:46 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:47 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:47 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:47 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:47 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:47 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:48 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:48 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:48 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:48 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:48 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:48 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:49 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:49 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:49 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:49 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:49 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:50 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:50 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:16:50 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate

...

2023-07-13 09:00:51 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:51 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:52 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:52 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:52 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:52 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:52 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:52 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:53 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:53 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:53 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:53 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:53 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:53 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 09:00:54 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate

which, for itself, are not so uncommon in the logfile. This morning they
exploded massively.

--

A user with a "COPR-HYPERV" environment reported, that his exchange
can't connect to the server
with a cert error. checktls on the other side gave the system a 114 out
of 124 points, (you need DANE for the last 10 points)

--

Mailgunserver seem to have this issue to:

2023-07-12 16:11:44 TLS error on connection from
mail229-77.mail.etsy.com [143.55.229.77] (SSL_accept):
error:0A000412:SSL routines::sslv3 alert bad certificate
2023-07-12 16:18:08 TLS error on connection from
guardpost-n04.euc1.mailgun.co
(guardpost-n04.prod.eu-central-1.postgun.com) [3.65.122.213]
(SSL_accept): error:0A000412:SSL routines::sslv3 alert bad certificate
2023-07-12 16:39:55 TLS error on connection from
guardpost-n03.euc1.mailgun.co
(guardpost-n03.prod.eu-central-1.postgun.com) [3.74.55.73] (SSL_accept):
error:0A000412:SSL routines::sslv3 alert bad certificate
2023-07-12 16:43:46 TLS error on connection from
guardpost-n03.euc1.mailgun.co
(guardpost-n03.prod.eu-central-1.postgun.com) [3.74.55.73] (SSL_accept):
error:0A000412:SSL routines::sslv3 alert bad certificate
2023-07-12 18:01:31 TLS error on connection from o78.p8.mailjet.com
[87.253.233.78] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-12 18:12:15 TLS error on connection from o237.p30.mailjet.com
[185.211.121.237] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-12 18:51:41 TLS error on connection from m196-128.mailgun.net
[161.38.196.128] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-12 18:58:11 TLS error on connection from o193.p9.mailjet.com
[87.253.234.193] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-12 20:08:42 TLS error on connection from pc232-9.mailgun.net
[143.55.232.9] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-12 20:09:57 TLS error on connection from o237.p30.mailjet.com
[185.211.121.237] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-12 20:20:46 TLS error on connection from o191.p9.mailjet.com
[87.253.234.191] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-12 20:34:09 TLS error on connection from o122.p25.mailjet.com
[185.189.236.122] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-12 21:09:37 TLS error on connection from m36-217.mailgun.net
[69.72.36.217] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-12 21:15:40 TLS error on connection from
outbound-402da386.pinterestmail.com [64.45.163.134] (SSL_accept):
error:0A000412:SSL routines::sslv3 alert bad certificate
2023-07-13 02:01:01 TLS error on connection from o8.p38.mailjet.com
[185.250.237.8] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-13 03:33:02 TLS error on connection from m240-157.my-hammer.de
[159.112.240.157] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-13 03:43:34 TLS error on connection from m240-157.my-hammer.de
[159.112.240.157] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-13 03:47:40 TLS error on connection from m41-123.mailgun.net
[69.72.41.123] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-13 06:00:11 TLS error on connection from o94.p27.mailjet.com
[185.189.238.94] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-13 06:00:19 TLS error on connection from o28.p29.mailjet.com
[185.211.120.28] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-13 06:13:53 TLS error on connection from o199.p31.mailjet.com
[185.211.122.199] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-13 06:20:32 TLS error on connection from o200.p31.mailjet.com
[185.211.122.200] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-13 08:15:30 TLS error on connection from m36-218.mailgun.net
[69.72.36.218] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate
2023-07-13 08:18:31 TLS error on connection from m36-216.mailgun.net
[69.72.36.216] (SSL_accept): error:0A000412:SSL routines::sslv3 alert
bad certificate

O== Exim strace

My guess is, a local issue on the M$ side leads to this. And here is why:

We see an strace of exim with the HYPERV client server, which tried to
send mail in a 0.2 seconds intervall.

...
[pid 2956595] write(8,
"\5\7\2\1\26\"http://cps.root-x1.letsencrypt.org0<\6\3U\35\37\00450301\240/\240-\206+http://crl.identrust.com/DSTROOTCAX3CRL.crl0\35\6\3U\35\16\4\26\4\24y\264Y\346{\266\345\344\1s\200\10\210\310\32X\366\351\233n0\r\6\t*\206H\206\367\r\1\1\v\5\0\3\202\1\1\0\ns\0l\226n\377\16R\320\256\335\214\347Z\6\255/\250\343\217\277\311\n\3\25P\302\345lB\273o\233\364\264O\302D\210\10u\314\353\7\233\24bnx\336\354'\2729\\\365\242\241nV\224p\20S\261\273\344\257\320\242\303+\1\324\226\364\305
53\371\330a6\340q\215\264\270\265\252\202E\225\300\362\251#(\347\326\241\313g\10\332\240C,\252\33\223\37\311\336\365\253i]\23\365[\206X\"\312MU\344pgm\302W\305F9A\317\212X\203Xm\231\376W\3506\16\360\16#\252\375\210\227\320\343\\\16\224I\265\265\0275\322.\277N\205\357\30\340\205\222\353\6;l)#\t`\334E\2L\22\30;\351\373\16\336\334D\370X\230\256\352\275EE\241\210]f\312\376\20\351o\202\310\21B\r\373\351\354\343\206\0\336\235\20\3438\372\244}\261\330\350I\202\204\6\233+\350kO\1\f8w.\371\335\3479\26\3\3\2,\f\0\2(\3\0\35
\320c\346$\362!7\375\373\211\203i\224{\355\331\313s\27\254x\350[\f\335\342\362\216\226\242Z1\4\1\2\0eh\317\0GT\200n\342\22^\31\203k\250Hp\2466\207A\260k\22\32\374\10Z\342\243\t\263\31Q$\177\223\210%t\253\235\25\16\272\232\220\261\234Z\250\320\211\200\212\3\206\234\35\335\220\10\6\335\323R,\203\273\314\313<\254l\355\311T|\177j3\312A;\357\275\10\237\365
\\\27\27\376\330\337\307\322gc\272\374\254\"\221\320\204>~.c\355\276\0170\217,1\354\360\36i\356,
\237\375_\335:<{\306\215\255\200(\250F\221y9Y\32\223Y\16y\213\366\300hj\257\376\2\313\336*\303>\307\315r.%\23\20,\365Y\v\244f\270\7Md\\J\313e\t\343\223\272\351
\261l\345\256\201J=a|j\265\330ND\n\262\226z>\204\32\2\364\2243\265\361\240\225\215jR\220\244\"\351o7\250AHZ0\5x;\370$\1\215\271\376-\236\260\346JE\261\300T\263\355\266\32U*\275\217z\311D\307\214\371\333\360\371\327K\250\255I9\233\373\371\312\25\366A\377&\204\0376\36\27\204T\22\rr#\373\250\217\213S\274m\0\264\337\337\217dK\320\346\270'\1\373\35\23\230\243]\32\300;\n\223\211\233\320\373\306#\244\213\351\17\220\5\325?\366\374\n1k\223'\2371Ml\246\362\314\263xQ\241\31p\32789P\335\28\302)\19\312\371\304\267cy\\\325\342\275\227;\205\213\373R\364\r\304\223n\222|KS\t\203Mp\322\353gmG|\257+vpC\213b\216\6\341}xsgBs\33\314\305T\244\255\253\362XP\333\335\26~\23\332P\370\226Wc\233=o\320\273\303\325\t\305y#\325\0aY\3140h%\25\230<\277\3123\207a\224\3529\370\210\203\376%LV&:g\177\357X\205I\240\3058u[1~\363\177\363\225\313y\373\352\372j\334\232\300\214\2\270\240\n\263\241\366\26\3\3\0\4\16\0\0\0",
979) = 979
[pid 2956595] read(10, "\26\3\3\0%", 5) = 5
[pid 2956595] read(10, "\20\0\0! <\224\325N\\\0\203O\33\t
9-\335x\r\236\2570\204`\r\337\25D\253|\233@%zT", 37) = 37
[pid 2956595] read(10, "\24\3\3\0\1", 5) = 5
[pid 2956595] read(10, "\1", 1)         = 1
[pid 2956595] read(10, "\26\3\3\0(", 5) = 5
[pid 2956595] read(10,
"\0\0\0\0\0\0\0\0#\203\22\3111=\310\2378\365\25\253\367}\321l\2126cm\334i\377\16z\356\342\203\266@on",
40) = 40
[pid 2956595] getpid()                  = 2956595
[pid 2956595] write(8,
"\24\3\3\0\1\1\26\3\3\0(\247!K\311\"\304\34\253Z\310\357Jvk\231\277\200F\79\375\226}\325\r\t~\25k\327\361\357E\331|:\317\3149\337",
51) = 51
[pid 2956595] alarm(0)                  = 300
[pid 2956595] getpid()                  = 2956595
[pid 2956595] rt_sigaction(SIGALRM, {sa_handler=0x5607c44be8f0,
sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fca8ae98b20}, NULL, 8) = 0
[pid 2956595] alarm(300)                = 0
[pid 2956595] read(10,  <unfinished ...>
[pid 2956595] <... read resumed>"\25\3\3\0\32", 5) = 5
[pid 2956595] read(10,
"\0\0\0\0\0\0\0\1\350p\256\301tL\267\251S\224#{VV\345\312\365\24", 26) = 26
[pid 2956595] alarm(0)                  = 300
[pid 2956595] clock_gettime(CLOCK_REALTIME, {tv_sec=1689232441,
tv_nsec=347351859}) = 0
[pid 2956595] newfstatat(AT_FDCWD, "/etc/localtime",
{st_mode=S_IFREG|0644, st_size=2298, ...}, 0) = 0
[pid 2956595] geteuid()                 = 93
[pid 2956595] geteuid()                 = 93
[pid 2956595] openat(AT_FDCWD, "/var/log/exim/main.log",
O_WRONLY|O_CREAT|O_APPEND|O_NONBLOCK, 0640) = 3
[pid 2956595] fcntl(3, F_GETFD)         = 0
[pid 2956595] fcntl(3, F_SETFD, FD_CLOEXEC) = 0
[pid 2956595] fcntl(3, F_GETFL)         = 0x8c01 (flags
O_WRONLY|O_APPEND|O_NONBLOCK|O_LARGEFILE)
[pid 2956595] fcntl(3, F_SETFL, O_WRONLY|O_APPEND|O_LARGEFILE) = 0
[pid 2956595] newfstatat(3, "", {st_mode=S_IFREG|0640, st_size=33962550,
...}, AT_EMPTY_PATH) = 0
[pid 2956595] write(3, "2023-07-13 09:14:01 TLS error (SSL_read):
error:0A000412:SSL routines::sslv3 alert bad certificate\n", 99) = 99
[pid 2956595] rt_sigaction(SIGALRM, {sa_handler=0x5607c4475690,
sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fca8ae98b20}, NULL, 8) = 0
[pid 2956595] write(8, "*421 <HOSTNAMEREPLACED> lost input
connection\r\n*", 51) = 51


If the connection is lost in mid encryption, openssl may send the wrong
error message. Means: I think the "bad certificate" message is false, as
the cert is valid and correct.

As soon as we blocked the ip of that exchange, the messages disapeared
from the log. Any other mailserver/client was happy :)

@Exim-Devs:

What is the real cause for this... was the connection lost and SSL
correctly reported an error, or was there an error and due to that ssl
error, the connection was terminated ( from the other side) ?

If the connection is really lost, it may be a smart move to change the
logged message from

"TLS error (SSL_read): error:0A000412:SSL routines::sslv3 alert bad
certificate"

to

"TLS error (SSL_read): 'error:0A000412:SSL routines::sslv3 alert bad
certificate' due to connection lost in mid session"

or something similar.

The openssl error message for itself is misleading and if one can tell
what really happend, i'm wiling to report that as bug against openssl as
well.

best regards,
Marius

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/