[exim] Re: exim spitting out "bad certificate" log lines

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Viktor Dukhovni via Exim-users
Dátum:  
Címzett: exim-users
Tárgy: [exim] Re: exim spitting out "bad certificate" log lines
On Thu, Jul 13, 2023 at 10:21:02AM +0200, Cyborg via Exim-users wrote:

> Since 08:15 CEST Exim is spitting out these errors:
>
> 2023-07-13 08:15:41 TLS error (SSL_read): error:0A000412:SSL > routines::sslv3 alert bad certificate


This is reported by OpenSSL to the local application (Exim server) when
the remote peer sends a fatal "bad certificate" alert and hangs up the
connection.

> 2023-07-13 08:15:53 TLS error (SSL_read): error:0A000412:SSL
> routines::sslv3 alert bad certificate
> [...]


The symptom is not transient, the client is having consistent problems
validating the certificate.

> which, for itself, are not so uncommon in the logfile. This morning they
> exploded massively.


Perhaps your configuration is missing the required intermediate issuer
certificates? Or the client's clock is wrong, or its list of trusted
CAs is incomplete, ...

> A user with a "COPR-HYPERV" environment reported, that his exchange
> can't connect to the server with a cert error.


That's sufficient. Certificate validity "is in the eye of the
beholder".

> checktls on the other side gave the system a 114 out
> of 124 points, (you need DANE for the last 10 points)


Evidence that the certificate (chain) is good enough for some clients
does not invalidate clear evidence that it is not good enough for
others.

> We see an strace of exim with the HYPERV client server, which tried to
> send mail in a 0.2 seconds intervall.


The strace proves nothing. A PCAP file with full packet capture could
be more illuminating, if TLS 1.2 is being negotiated. With TLS 1.3 too
much of the handshake is encrypted...

> If the connection is lost in mid encryption, openssl may send the wrong
> error message. Means: I think the "bad certificate" message is false, as
> the cert is valid and correct.


You're mistaken. Connection "loss" is normal when a fatal alert is
sent.

> What is the real cause for this...


The client could not validate the certificate.

> "TLS error (SSL_read): error:0A000412:SSL routines::sslv3 alert bad
> certificate"


This is the correct log message.

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/