[exim] Debug TLS/DANE problems

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Wolfgang
Dátum:  
Címzett: exim-users
Tárgy: [exim] Debug TLS/DANE problems
Hello all,

to debug, why the valid CERT is not accepted for a DANE verified outbound connection, I tried to
enable debugging via ACL:

>acl_smtp_starttls:
>      accept
>          message = TLS debug started
>          logwrite = TLS debugging acl triggered
>          control = debug
>          control = debug/tag=.$sender_host_address
>          control = debug/opts=-all+deliver+tls
>          control = debug/trigger=now



However I get not a single line of debug output,
neither when exim denies the connection with the error:
"Key usage violation in certificate has been detected.",
nor when other working TLS connections are established.

But this seems not to work, exims creates no debuglog.

When I however put those controls to "acl_log_write", i get a full bunch of stuff, but nothing related
to TLS, but thats what I wish to get. I get all detailed informations of all routers, filters,
transports, with all expansions and other stuff, but not a single line according to the connection
to remote host with all TLS/DANE related stuff. I have configured -all+tls, but looks like, i get
all but tls!

However the logfile claims, that +tls is set:
>   check control = debug/tag=.$sender_host_address/opts=-all+tls
>              = debug/tag=.111.222.111.222/opts=-all+tls
>DEBUGGING ACTIVATED FROM WITHIN CONFIG.
>DEBUG: Tag=".111.222.111.222" opts="-all+tls"
>   check control = debug/opts=-all+tls
>DEBUGGING ACTIVATED FROM WITHIN CONFIG.
>DEBUG: Tag="NULL" opts="-all+tls"
>   check control = debug/trigger=now/opts=-all+tls
>DEBUGGING ACTIVATED FROM WITHIN CONFIG.
>DEBUG: Tag="NULL" opts="-all+tls"
>   accept: condition test succeeded in ACL "acl_log_write"
>   end of ACL "acl_log_write": ACCEPT


My goal is getting informations, which of the presented certs during the TLS handshake exim takes
into account for verifing the DANE RR. Furthermore if exim compares hostname against CN or one of
the additional SANs embedded in the cert.

Can anyone point me into the right direction, how can I get those informations?

Thanks

Wolfgang


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/