On 2013-10-07 at 18:01 +0200, Axel Rau wrote: > All my mail servers use a pgsql lookup via TLS. > After upgrading to 4.82 RC2, I'm getting: > --- > …DEFER: PGSQL connection failed: SSL error: tlsv1 alert unknown ca
This tells me that the certificate authority used to issue the certificate used by the Postgres server is not recognised by the SSL libraries used by Exim. > In the pgsql log: > --- > "could not accept SSL connection: no certificate returned",,,,,,,,,"" That's the server logging the termination reason given by the client during its clean shutdown. > -r--r--r-- 1 root daemon 2565 Aug 4 14:14 ca_cert.pem > lrwxr-xr-x 1 root daemon 31 Sep 8 17:51 postgresql.crt -> > maileserver.at.some.domain_server_cert.pem > lrwxr-xr-x 1 root daemon 30 Sep 8 17:51 postgresql.key -> > maileserver.at.some.domain_server_key.pem > lrwxr-xr-x 1 root daemon 11 Sep 8 17:51 root.crt -> ca_cert.pem Okay, and is that ca_cert.pem also used in the system SSL store? Are you sure that nothing got updated in the Exim area? I note that the dates on those files are only a month ago: did someone deploy the change live and "fix" the certificate store live but not check the change into the SCM, so that spinning up an Exim box with an RC on it did not get the fix? > Something has changed here or is broken in RC2. Compared to which release of Exim? Agreed that if Exim is being more strict by default, then this needs to be called out in README.UPDATING as an issue. Note though that pgsql.c has not changed since the previous release and the only changes I know of around TLS behaviour relate specifically to the LDAP support. In fact, Exim doesn't do _any_ explicit initialisation of TLS for the pgsql lookup; we don't support using pgsql: schema URLs; we use an older API for initialisation, `PQsetdbLogin()`, and the only place we might supply the options is specified as NULL. So a PGOPTIONS environment variable will be honoured; is it possible that you have $PGOPTIONS defined in environ when starting the RC, but not in the system startup scripts? There have been a number of TLS changes, which _should_ relate only to TLS in SMTP, and were made to support cut-through delivery. As rampant speculation, I can hypothesize that Exim initialises TLS in OpenSSL differently and this now carries through to the use made by libpq of OpenSSL. But I don't think so. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
