[exim] Re: GnuTLS and Dane-Problem finally solved

Top Page
Delete this message
Reply to this message
Author: Wolfgang
Date:  
To: Viktor Dukhovni via Exim-users
Subject: [exim] Re: GnuTLS and Dane-Problem finally solved
Hello Viktor, Hello Andrew,

looks like, I have not clearly enough stated in my last mails, that SNI is not longer an issue.
After the options trust-ad thing, and restarting everthing, SNI worked.

> Red herring, due to a flawed test. The SNI issue remains unresolved.


And in the meanwhile Andrew pointed me, to a small but very important glitch in my certificate:

As I missed to have a CN in the Issuer-field, while it was there in Subject, the cert is no
self-signed-cert, as the Issuer can't be found. So OpenSSL accepts this certificate as untrusted,
but otherwise OK for this purpose, securing a TLS connection with protocols, which could be better,
but unfortunately still widespread.

As soon, as I added the CN to my Clone-Cert, it was also not longer trusted. The reason:
Now, with identical Issuer and Subject items, GnuTLS can verify the cert against itself, and in this
case it is complains, because the cert has no "keyCertSign"-KeyUsage!
As this is a violation against the rules, the certificate itself states, and not against third party
rule, GnuTLS seems to be correct.

OpenSSL just sees, that Issuer==Subject, and concludes, that this is self-signed, and this seems to
be ok.

I did a check against some mailservers with self signed certificates (there are not very much out
there, since letsencrypt is widespread), and they are looking either similar to my wrong clone, so
Issuer!=Subject, or the have the "keyCertSign"-KeyUsage set.

And this was really the core problem, I was fighting against. It was good, as I found my SNI issue,
and really learned, that exim does not use SNI in non DANE connections. This seems to be
a chicken-egg problem, because as long, as mailservers can't start using SNI in sending out mail,
its impossible to do a very easy configuration multiplexing on incoming messages, based on SNI.


Regards

Wolfgang


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/