[exim] Debug TLS/DANE problems

Tue, 02 Jul 2024 12:47:06 -0700 

Hello all,

to debug, why the valid CERT is not accepted for a DANE verified outbound 
connection, I tried to
enable debugging via ACL:

>acl_smtp_starttls:
>      accept
>          message = TLS debug started
>          logwrite = TLS debugging acl triggered
>          control = debug
>          control = debug/tag=.$sender_host_address
>          control = debug/opts=-all+deliver+tls
>          control = debug/trigger=now


However I get not a single line of debug output,
neither when exim denies the connection with the error:
"Key usage violation in certificate has been detected.",
nor when other working TLS connections are established.

But this seems not to work, exims creates no debuglog.

When I however put those controls to "acl_log_write", i get a full bunch of 
stuff, but nothing related
to TLS, but thats what I wish to get. I get all detailed informations of all 
routers, filters,
transports, with all expansions and other stuff, but not a single line 
according to the connection
to remote host with all TLS/DANE related stuff. I have configured -all+tls, but 
looks like, i get
all but tls!

However the logfile claims, that +tls is set:
>   check control = debug/tag=.$sender_host_address/opts=-all+tls
>              = debug/tag=.111.222.111.222/opts=-all+tls
>DEBUGGING ACTIVATED FROM WITHIN CONFIG.
>DEBUG: Tag=".111.222.111.222" opts="-all+tls"
>   check control = debug/opts=-all+tls
>DEBUGGING ACTIVATED FROM WITHIN CONFIG.
>DEBUG: Tag="NULL" opts="-all+tls"
>   check control = debug/trigger=now/opts=-all+tls
>DEBUGGING ACTIVATED FROM WITHIN CONFIG.
>DEBUG: Tag="NULL" opts="-all+tls"
>   accept: condition test succeeded in ACL "acl_log_write"
>   end of ACL "acl_log_write": ACCEPT

My goal is getting informations, which of the presented certs during the TLS 
handshake exim takes
into account for verifing the DANE RR. Furthermore if exim compares hostname 
against CN or one of
the additional SANs embedded in the cert.

Can anyone point me into the right direction, how can I get those informations?

Thanks

  Wolfgang


-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to