[exim] Re: exim spitting out "bad certificate" log lines

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni via Exim-users
Data:  
Dla: exim-users
Temat: [exim] Re: exim spitting out "bad certificate" log lines
On Thu, Jul 13, 2023 at 10:30:06PM +0300, Evgeniy Berdnikov via Exim-users wrote:

> On Thu, Jul 13, 2023 at 11:11:31AM -0400, Viktor Dukhovni via Exim-users wrote:
> > Perhaps the OpenSSL library could change the message to be:
> >
> >     "TLS fatal alert from <peer|client|server>: bad certificate"

>
> Does TLS/SSL protocol provide enough information to conclude that alert
> should be interpreted as "bad certificate" message from other side?


Yes. https://datatracker.ietf.org/doc/html/rfc8446#appendix-B.2

> Does it provide any granularity on this badness, such as time window,
> signature, algorithms and so on?


No.

> As far as I understand from reading traffic captures, there are no text
> fields in TLS/SSL alert messages. It looks like severe design flaw
> of this protocol, leading to problems in diagnostic on both sides.


Alerts carry just an alert level and number.

    https://datatracker.ietf.org/doc/html/rfc8446#section-6


-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/