>>>>> "TFH" == Tollef Fog Heen <tfh...@err.no> writes:
TFH> It's usually a good idea to mail the people who actually run the TFH> debian.org systems if you want help debugging problems like this. The first note, as I wrote, was an attempt to confirm whether the problem was limited to @bugs's MX. Given the first, it seemed only polite to explain that the issue wasn't what I thought it were. >> It turned out that buxtehude's exim doesn't like the (cacert-signed, >> wildcard) cert my box offers when sending mail. TFH> 2013-09-12 02:35:44 TLS error on connection from ore.jhcloos.com [198.147.23.85] (gnutls_handshake): The signature algorithm is not supported. TFH> I'm not entirely sure why that happens, though, given we run very TFH> similar configurations on buxthehude and the other mail-receiving hosts. Testing with: :; gnutls-cli --verbose --verbose --debug=1 --dane --local-dns \ --no-ca-verification --starttls --port 25 \ --x509certfile=/etc/ssl/certs/my_wild_cacert.pem \ --x509keyfile=my_wild.key \ buxtehude.debian.org. works fine: - Server's trusted authorities: [0]: C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=Debian SMTP CA,EMAIL=hostmas...@puppet.debian.org [1]: C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=Debian SMTP CA,EMAIL=hostmas...@puppet.debian.org - Successfully sent 1 certificate(s) to server. - Description: (TLS1.2-PKIX)-(RSA)-(AES-128-CBC)-(SHA1) - Session ID: D3:62:75:6A:ED:FC:C5:1C:61:12:F8:1B:06:4F:DD:81:B7:0F:9C:25:36:0C:AA:56:72:CE:9F:02:9C:E1:2C:BF - Version: TLS1.2 - Key Exchange: RSA - Client Signature: RSA-SHA256 - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Channel binding 'tls-unique': 1eb70f592718d20b6721e52f Also, openssl can connect with: :; openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt \ -starttls smtp -showcerts -debug -state -crlf -tlsextdebug \ -status -msg -connect buxtehude.debian.org:25 but if I add: -key my_wild.key -cert /etc/ssl/certs/my_wild_cacert.pem it fails. The result is the same if I use a non-wild cert. But it works if I use the commercial cert I use for my https site. A cert with the same RSA size and sha1 sig hash as the cacert. So this does seem to be an openssl vs gnutls issue. I'll try to trigger it on a cloud server with debugging turned up and get a more detailed debug log. Which release does buxtehude run? Wheezy? -JimC -- James Cloos <cl...@jhcloos.com> OpenPGP: 1024D/ED7DAEA6 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/m3txhp4xtl....@carbon.jhcloos.org