Am 22.12.2014 um 12:48 schrieb Evgeniy Berdnikov:
OK. Exim is built with Gnutls, and you are trying to connect with OpenSSL,
without success in cipher negotiation, let's try to use gnutls-cli first.
Install gnutls-bin package for Ubuntu, then run
% gnutls-cli -p 465 localhost --no-ca-verification --crlf -d4
and post the output here.
I did this (stripped all invalid options):
gnutls-cli -p 465 localhost --crlf
With the SHA-512 certificate:
Resolving 'localhost'...
Connecting to '127.0.0.1:465'...
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
With the new SHA-256 certificate:
Resolving 'localhost'...
Connecting to '127.0.0.1:465'...
- Ephemeral Diffie-Hellman parameters
- Using prime: 2048 bits
- Secret key: 2047 bits
- Peer's public key: 2047 bits
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=DE,ST=-,L=-,O=-,OU=-,CN=xxxx.de,EMAIL=-', issuer
`C=DE,ST=-,L=-,O=-,OU=-,CN=xxxx.de,EMAIL=-', RSA key 4096 bits, signed using
RSA-SHA256, activated `2014-12-22 11:24:00 UTC', expires `2015-12-22 11:24:00
UTC', SHA-1 fingerprint `7ce35cd046c6937b5e19f8a021c5adef5b886e9b'
- The hostname in the certificate does NOT match 'localhost'
So it's basically the same result I guess.
One more info, if it's helpful:
$ gnutls-cli --version
gnutls-cli (GnuTLS) 2.12.23
Packaged by Debian (2.12.23-12ubuntu2.1)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Nikos Mavrogiannopoulos.
--
Yves Goergen
http://unclassified.de
http://dev.unclassified.de
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/