On Fri, 20 Dec 2019 15:01:16 +0100 Heiko Schlittermann wrote: > Christian Balzer <ch...@gol.com> (Fr 20 Dez 2019 14:49:27 CET): > > > > The testmail.do.main VIP is handled by smtp01 and 02, with being > > > > resident > > > > on smtp01 for most of the testing, but failing it over doesn't change > > > > the > > > > outcome. > > > > > > If connections to the indiviual servers work as expected but connectin > > > to them via the loadbalancer fail, I'd check the loadbalancer first, not > > > Exim. > > > > > > Does your loadbalancer intercept the SSL connection? > > > > > Please re-read the thread, there is no loadbalancer involved in this test > > setup, just a (not so much) floating Virtual IP managed by pacemaker. > > Ok. From "individual IPs" and the rest of the context I assume a > loadbalancer setup. (Yes, I know, assumption are the mother of …) > > I do not see why GnuTLS should behave dependend on the IP you're > connecting to. I'd retest this with openssl s_server, or, since there is > not device in between, with gnutls-serv of the same version as the > libraries, Exim uses. > I've tried this with "openssl s_server" and it works either which way, unsurprisingly. "openssl s_server -cert wildcard.crt -key wildcard.key -CAfile ca.crt"
I can't get gnutls_server to use/send the CA intermediate at all, only the server cert is sent with: "gnutls-serv --x509keyfile=wildcard.key --x509certfile=wildcard.crt --x509cafile=ca.crt" > And I remember some issues with the order of the certs in the cert file. > While that sounds vaguely familiar, I don't think it could/should affect things. Regards, Christian -- Christian Balzer Network/Systems Engineer ch...@gol.com Rakuten Mobile Inc. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/