[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
On 07/07/2024 04:10, Viktor Dukhovni via Exim-users wrote:
> Any thoughts on
> what's wrong with the GNU-TLS build vs. DANE?


We don't have enough info on the scenario that is failing.

Basics such as who the actors are in the connection, with which roles
(that last item because of the confusion in the message I
responded to yesterday).
Actual debug output from the Exim system. I pointed out how best
to do that on the 2nd (assuming that the Exim system is the
accepting end for the connection).

[ In case it's an outbound connection at issue, a simple way to get
   debug is:
             exim -d+all -odf fred@??? </dev/null 2>&1 | tee debuglog


Substitute your test destination email address as required.
The command inserts a mostly-empty mail message and attempts to
do delivery in the foreground. Debug output comes via stderr
and is duplicated to both terminal and a file.
]

If we have to, we can extend debugging to see the each certificate in
the chain being verified... but finding the right places in a Debian
config will be quite a lot of effort.

A packet capture, as you suggest, would be a last stop if debug
doesn't tell us enough.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/