[exim] Debug TLS/DANE problems

Inizio della pagina
Questo messaggio è parte di questo thread:
M\il thread completo ordinato per data
MM 
MJeremy Harris at ->
Delete this message
Reply to this message
Autore: Wolfgang
Data:  
To: exim-users
Oggetto: [exim] Debug TLS/DANE problems
Hello all,

to debug, why the valid CERT is not accepted for a DANE verified outbound connection, I tried to
enable debugging via ACL: 

>acl_smtp_starttls:
>      accept
>          message = TLS debug started
>          logwrite = TLS debugging acl triggered
>          control = debug
>          control = debug/tag=.$sender_host_address
>          control = debug/opts=-all+deliver+tls
>          control = debug/trigger=now


However I get not a single line of debug output,
neither when exim denies the connection with the error:
"Key usage violation in certificate has been detected.",
nor when other working TLS connections are established.

But this seems not to work, exims creates no debuglog.

When I however put those controls to "acl_log_write", i get a full bunch of stuff, but nothing related
to TLS, but thats what I wish to get. I get all detailed informations of all routers, filters,
transports, with all expansions and other stuff, but not a single line according to the connection
to remote host with all TLS/DANE related stuff. I have configured -all+tls, but looks like, i get
all but tls!

However the logfile claims, that +tls is set:
>   check control = debug/tag=.$sender_host_address/opts=-all+tls
>              = debug/tag=.111.222.111.222/opts=-all+tls
>DEBUGGING ACTIVATED FROM WITHIN CONFIG.
>DEBUG: Tag=".111.222.111.222" opts="-all+tls"
>   check control = debug/opts=-all+tls
>DEBUGGING ACTIVATED FROM WITHIN CONFIG.
>DEBUG: Tag="NULL" opts="-all+tls"
>   check control = debug/trigger=now/opts=-all+tls
>DEBUGGING ACTIVATED FROM WITHIN CONFIG.
>DEBUG: Tag="NULL" opts="-all+tls"
>   accept: condition test succeeded in ACL "acl_log_write"
>   end of ACL "acl_log_write": ACCEPT

My goal is getting informations, which of the presented certs during the TLS handshake exim takes
into account for verifing the DANE RR. Furthermore if exim compares hostname against CN or one of
the additional SANs embedded in the cert.

Can anyone point me into the right direction, how can I get those informations?

Thanks

Wolfgang


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Questo messaggio è stato inviato alle seguenti mailing lists:
Exim-users
Informazioni sulla Mailing List | Messaggi correlati		<-[exim] Re: Problems with outgoing DANE-TLSA, when CA-anchored test fails[exim] Re: Debug TLS/DANE problems->
Tahini and Hummus and Cumin Development Archives amministrato da cumin AdminsLurker (versione 2.3)