On 2023-01-09 Jeremy Harris via Exim-users <exim-users@exim.org> wrote: > On 09/01/2023 17:39, Andreas Metzler via Exim-users wrote: [...] >>> something changed how exim or openssl3 is handling the underlying >>> certificate switch detection. As Exim had only a tiny minor switch, OpenSSL3 >>> is my personal candidate for this. >> [...] >> The major change in recentish time was in 4.95 >> 11. Faster TLS startup. When various configuration options contain no >> expandable elements, the information can be preloaded and cached rather >> than the provious behaviour of always loading at startup time for every >> connection. This helps particularly for the CA bundle. >> >> I have also switch to restarting instead of HUP-ing my exim after cert >> updates at some point because the old cert still showed up.
> Interesting. Is/are you cert(s) behind a symlink, from the place > baked into the TLS library (which is what Exim monitors)? > If so, you should pick up commits ef57b25bfa76, a1ec98dd9637 > "Symlink following for TLS creds files" > These are post-4.96 so have not hit a release yet. Hello Jeremy, I have had this on my TODO, waiting for the next letsencrypt cert update. I dropped the "service exim4 stop ; sleep .2 ; service exim4 start" from my post update script and checked whether exim now automatically saw the new certs. It did. :-) I am not symlinking my certs and since this was on Debian's 4.96-14~bpo11+1 neither of the two symlink-cert fixes are included. (I will consider cherry-picking them anyway.) So it looks like something else was broken at some point in time and is fixed again. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
