Hello, there seems to be some breakage in 4.95 RC0 with outgoing TLS, it fails to verify the peer certificate:
-------------------- initialising GnuTLS as a client on fd 7 GnuTLS global init required initialising GnuTLS client session Expanding various TLS configuration options for session credentials TLS: basic cred init, client TLS: no client certificate specified; okay TLS: tls_verify_certificates not set or empty, ignoring GnuTLS using default session cipher/priority "NORMAL" Setting D-H prime minimum acceptable bits to 1024 31.15.64.248 in tls_verify_hosts? yes (matched "*") 31.15.64.248 in tls_verify_cert_hostnames? yes (matched "*") TLS: server cert verification includes hostname: "vsrv21575.customer.vlinux.de" TLS: server certificate verification required TLS: will request OCSP stapling 31.15.64.248 in tls_resumption_hosts? no (option unset) about to gnutls_handshake search_tidyup called SMTP>>(close on process exit) >>>>>>>>>>>>>>>> Exim pid=128174 (daemon-accept) terminating with rc=0 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> child 128174 ended: status=0x0 normal exit, 0 0 SMTP accept processes now running Listening... (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM) To get keying info for TLS1.3 is hard: Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory, and make sure it is writable by the Exim runtime user. Add SSLKEYLOGFILE to keep_environment in the exim config. Start Exim as root. If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers (works for TLS1.2 also, and saves cut-paste into file). Trying to use add_environment for this will not work TLS: checking peer certificate The certificate is NOT trusted. The certificate issuer is unknown. TLS certificate verification failed (certificate invalid): peerdn="CN=vsrv21575.customer.vlinux.de" TLS session fail: (certificate verification failed): certificate invalid -------------------- For reference with 4.94.2 (+fixes) successful debug output looks like this: -------------------- initialising GnuTLS as a client on fd 7 GnuTLS global init required. initialising GnuTLS client session Expanding various TLS configuration options for session credentials. TLS: no client certificate specified; okay Added 127 certificate authorities. GnuTLS using default session cipher/priority "NORMAL" Setting D-H prime minimum acceptable bits to 1024 31.15.64.248 in tls_verify_hosts? yes (matched "*") 31.15.64.248 in tls_verify_cert_hostnames? yes (matched "*") TLS: server cert verification includes hostname: "vsrv21575.customer.vlinux.de". TLS: server certificate verification required. TLS: will request OCSP stapling about to gnutls_handshake (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM) To get keying info for TLS1.3 is hard: Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory, and make sure it is writable by the Exim runtime user. Add SSLKEYLOGFILE to keep_environment in the exim config. Start Exim as root. If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers (works for TLS1.2 also, and saves cut-paste into file). Trying to use add_environment for this will not work TLS: checking peer certificate TLS certificate verified: peerdn="CN=vsrv21575.customer.vlinux.de" cipher: TLS1.3:ECDHE_SECP256R1__ECDSA_SECP384R1_SHA384__AES_256_GCM:256 Have channel bindings cached for possible auth usage -------------------- cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
