On Tue, Jul 02, 2024 at 03:51:38PM +0200, Wolfgang via Exim-users wrote:
> > Otherwise, any MX host with a Let's Encrypt certificate could
> > impersonate any other such host.
>
> I don't get this: Even, when either the CN nor an additional SAN matches, I see no risk
> for impersonating, as the trusted public key belongs to an private key.
If the thing that's trusted is the *issuing CA*, which issues many
different certificates to many different servers, then it is not
sufficient to check the validity of the chain to some random issued
certificate, it has to have been issued to the actual server you're
trying to connect to. But, it seems that's not your problem, rather:
On Tue, Jul 02, 2024 at 03:09:13PM +0100, Jeremy Harris via Exim-users wrote:
> On 02/07/2024 14:51, Wolfgang via Exim-users wrote:
> > Key usage violation
>
> That's coming out of the GnuTLS library.
>
> A quick web search finds:
> "In any case, the problem is with your server's X.509 certificate chain: Either the server certificate itself or another certificate in the chain has a key usage restriction that is violated. For example a certificate with a key usage restriction to signing cannot be used to authenticate TLS connections. See section 4.2.1.3 of RFC 5280."
A certificate used for TLS must not be restricted an incompatible
keyUsage or extendedKeyUsage.
It is time to post the actual certificate chain (without the private key
of course), or if this a remote server anyone can connect to,
alternatively the hostname (and port, if not 25) of the remote server.
The information you're providing is much too terse, and it is taking too
much time to diagnose, what is surely a simple problem.
--
Viktor.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
