[exim] Re: exim spitting out "bad certificate" log lines

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MViktor Dukhovni via Exim-users at <-
MCyborg at ->
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: [exim] Re: exim spitting out "bad certificate" log lines
Hi all,

Am 13.07.23 um 15:58 schrieb Viktor Dukhovni via Exim-users:
>> If the connection is lost in mid encryption, openssl may send the wrong
>> error message. Means: I think the "bad certificate" message is false, as
>> the cert is valid and correct.
> You're mistaken. Connection "loss" is normal when a fatal alert is
> sent.

That's why i asked for clearification, which side raised that errorcode.

I did not know, that the client can/does tell the server it connects to
and receives the cert from, that the client "thinks" the supplied
certificate is "bad". As far as I have found searching for the openssl
error code, that this one refers to a client certificate send to the
server. But it also makes sense, that the client is nice and tells the
server what he "thinks".

>> "TLS error (SSL_read): error:0A000412:SSL routines::sslv3 alert bad
>> certificate"
> This is the correct log message.

If the chain of events is like we expect it to be, that the client tries
to validate the cert , fails and is sending an meaningfull errorcode to
the server and then closes the connection, wouldn't it be wise to add a
hint to the reported error message, that it came from the client?

I have to admit, that i was shocked to see this message en mass in the
log files and instantly checked the local certfiles for a cause. Now,
after investigating this further, it's clear, that the other side sends
a corresponding errorcode and openssl creates this messagetext which
exim just prints out.

And heres the tricky question: would a new admin, that has never read
this message list, would conclude, that this message is caused by the
client, or would he/she try to analyse a local problem that does not
exist? Seen in this light, a small change to the log message, can't hurt.

in the meantime ... report from client: that some windows based servers
have a local problem with the cert, others with the same updates (have
my doubts about that) have no issues. tja.

best regards,
Marius

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Re: exim spitting out "bad certificate" log lines[exim] Re: exim spitting out "bad certificate" log lines->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)