On Sat, 13 Jul 2024, Wolfgang via Exim-users wrote:
>
> Hello Viktor, Hello Jeremy,
>
> and all others helping me, to find the problem with my exim not able to deliver to the
> https://blog.lindenberg.one/EmailSecurityTest .
>
> I tried now a lot of things, and learned a lot about debugging this kind of error.
> As the biggest problem lies into the test-mechanism, which introduces all kinds of simulated errors,
> no offering of STARTTLS etc., it was hard, teting against that.
>
> So finally I have created a testenvironment, which had all the destinations with and without DANE,
> letsencrypt etc. I created identical looking self signed certs, removed the usual BasicConstraints
> CA=FALSE, which all my self-signed certs have, so my cert looked just the same.
>
> But I could deliver to any of my systems destinations, after my DANE-DNSSEC problem was fixed.
>
> So I went another way, diving into the command line tools of GnuTLS, instead of OpenSSL, which was
> as long my tools for all those tests. But as the error only occured in GnuTLS, those tools could
> help me:
>
> Testing the test-systems self-signed cert, I needed to start some tries, till I got finally STARTTLS
> offered, and there was a single line more, as in the exim debug output:
>
> gnutls-cli -d 9999 -V -p 25 85.215.77.84 --starttls-proto=smtp
> ASSERT: ../../lib/tls-sig.c[_gnutls_check_key_usage_for_sig]:58
> Peer's certificate does not allow digital signatures. Key usage violation detected.
> *** Fatal error: Key usage violation in certificate has been detected
>
> Doing the same to my test-destination for the self-signed cert:
> gnutls-cli -d 9999 -V -p 25 78.46.150.68 --starttls-proto=smtp
> Status: The certificate is NOT trusted. The name in the certificate does not match the expected.
> *** Fatal error: Error in the certificate
>
> reads totally different, as my current test exim would even accept a non matching name.
> No other error popped out.
>
>
> Ok, I compared the the certs again and they just looked identical:
> X.509 Certificate Information: X.509 Certificate Information:
> Version: 3 Version: 3
> Serial Number (hex): 1780f0f593e5c453adbb0ace8a352a65f85d9da7 Serial Number (hex): 31553a407b3f80ae791c3b01fc6a5c9e68f0c371
> Issuer: OU=GnuTLS test,O=xxxxxxxxxxxxxxx,L=Karlsruhe,ST=BW,C=DE Issuer: CN=et.lindenberg.one,OU=Tests,O=Lindenberg,L=Karlsruhe,ST=BW,C=DE
Hmm. One Issuer has a CN field, the other does not ?
> Validity: Validity:
> Not Before: Sat Jul 13 18:08:35 UTC 2024 Not Before: Sat Jan 22 16:08:03 UTC 2022
> Not After: Tue Jul 11 18:08:35 UTC 2034 Not After: Fri Jan 17 16:08:03 UTC 2042
> Subject: CN=xxxxxxx.sxxxxxxxxxxxxxx.de,OU=GnuTLS test,O=xxxxxxxxxxxxxx,L=Karlsruhe,ST=BW,C=DE Subject: CN=et.lindenberg.one,OU=Tests,O=Lindenberg,L=Karlsruhe,ST=BW,C=DE
> Subject Public Key Algorithm: RSA Subject Public Key Algorithm: RSA
This is nearly unreadable.
Could you send a `diff -u` of the two certs/files/outouts ?
Thanks,
--
Andrew C. Aitchison Kendal, UK
andrew@???
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
