On 09/01/2023 17:39, Andreas Metzler via Exim-users wrote:
On 2023-01-09 Cyborg via Exim-users <[email protected]> wrote:
please take this text as it is, a study for a fail you could avoid, no
fingerpointing, no flaming, only suggestions what to look for/change in your
toolchains.
In early December 2022 the server in question switched his os release and
was restarted (exim including). In this upgrade, the following switch was
made:
FROM:
2022-11-28T20:46:24+0100 SUBDEBUG Upgraded: exim-4.96-5.fc35.x86_64
2022-11-28T20:46:32+0100 SUBDEBUG Upgraded: *openssl-1:*1.1.1q-1.fc35.x86_64
[...]
As I can't remember any downstream patches to Exim inside Fedora's build, so
something changed how exim or openssl3 is handling the underlying
certificate switch detection. As Exim had only a tiny minor switch, OpenSSL3
is my personal candidate for this.
[...]
The major change in recentish time was in 4.95
11. Faster TLS startup. When various configuration options contain no
expandable elements, the information can be preloaded and cached rather
than the provious behaviour of always loading at startup time for every
connection. This helps particularly for the CA bundle.
I have also switch to restarting instead of HUP-ing my exim after cert
updates at some point because the old cert still showed up.
Interesting. Is/are you cert(s) behind a symlink, from the place
baked into the TLS library (which is what Exim monitors)?
If so, you should pick up commits ef57b25bfa76, a1ec98dd9637
"Symlink following for TLS creds files"
These are post-4.96 so have not hit a release yet.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
