On Sun, Jul 07, 2024 at 09:36:48AM +0100, Jeremy Harris via Exim-users wrote:
> Basics such as who the actors are in the connection, with which roles > (that last item because of the confusion in the message I > responded to yesterday). The connection is to "mx06.et.lindenberg.one" on port 25. When the TLSA base domain "mx06.et.lindenberg.one" is sent as the SNI name, the presented certificate chain is: subject=CN = et.lindenberg.one issuer=C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- MIIHFjCCBf6gAwIBAgISA2gKPw3hnIK3DhYzXdhVWUfPMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yNDA2MDIxMDM0MDZaFw0yNDA4MzExMDM0MDVaMBwxGjAYBgNVBAMT EWV0LmxpbmRlbmJlcmcub25lMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC AgEAxZ+5sK0NbDi4txQsSVmWkmc7Vux3RS0EXOqAKKJRT+g44nH4b2f1P96frFkn xFqNWSJj8RXFbNA+ru8qOHVvdmCGlv7XvfL5+OhPDuFvzJ+mMHrmeONXACmMCKmZ 18q9uGFB2M1pJltSjX9+1kNV0sBzNtk/Wcjx5rS2mRhSPi9UgoB4w8H9M0SzIQm8 o8UecYXno6ZY8fn1KOCFjGGvTxvKCg0660gYSwswAPBatICQsT3hzFXjePPBrCir Fbipgf6A9/23kmOURZgfGV9qG4QI/ykl65jrMN+AZi2YSYADIGdcPZd23560RYZh Mq6UIccd4cVJXdEzpvLAbESLpJ7E02YRBVOQKsMZpDVdNtuW9mh3+SbyV07ztdOB 0RnUAKQGquuZ1GG2j4hGq5hkTcGNFDy9ci4daXmMGKj3Ubiv+eNcV6y5iwVxs27n prHJ4g/hEXpFi+nm9wfPIjRc+IjoRi4pWuPsH12G7mkzNbqrTDSCH51rKmBk8fK+ A+i3nUV8TvDfeOTsbGjk2kvKvBjqc31B0Dsrf+NfaVexWk2QYouSUx+PzybOWHfA ODMH8SYlw7f1W7GsxKkyQJovHr5Sou4230ku/JwlTfsja1ig9dFuvPZooThKkGK9 /XZqIDwEBJxvLaLTgaQyuedB2eWQ/F0s7pKxpUA8/8HOXXUCAwEAAaOCAzowggM2 MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzVB+4FF7HuY7Y4/lSIpznp/BEPQwHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wggFABgNVHREEggE3MIIBM4IRZXQubGluZGVu YmVyZy5vbmWCFm14MDEuZXQubGluZGVuYmVyZy5vbmWCFm14MDIuZXQubGluZGVu YmVyZy5vbmWCFm14MDMuZXQubGluZGVuYmVyZy5vbmWCFm14MDQuZXQubGluZGVu YmVyZy5vbmWCFm14MDUuZXQubGluZGVuYmVyZy5vbmWCFm14MDYuZXQubGluZGVu YmVyZy5vbmWCFm14MTEuZXQubGluZGVuYmVyZy5vbmWCFm14MTIuZXQubGluZGVu YmVyZy5vbmWCFm14MTMuZXQubGluZGVuYmVyZy5vbmWCFm14MTQuZXQubGluZGVu YmVyZy5vbmWCFm14MTUuZXQubGluZGVuYmVyZy5vbmWCFm14MTYuZXQubGluZGVu YmVyZy5vbmUwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2 BIHzAPEAdwBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAY/YummV AAAEAwBIMEYCIQCNkW2popJDezZAJNLjxFvd/0EeU9n6u/vtYTQzSWA/KgIhAMbR SEdfyaUAqkSSsEPpJA//Z/wT5alqSNmXRMM0Ac3QAHYAdv+IPwq2+5VRwmHM9Ye6 NLSkzbsp3GhCCp/mZ0xaOnQAAAGP2Lpp6wAABAMARzBFAiEAzYDVfMxUxaWC5TsO iDVycwshKXO9I+mY0JBIuyJyFJ8CIG7hjRhozktKY0t4QyogulfVEHdw/f3ixRbJ 9T2yBSa/MA0GCSqGSIb3DQEBCwUAA4IBAQB/bZ1MGoaB9J2L6I8r9edDFVQorvCN xthHKt7+YpESr4/zWyiye05dukfoWFep8MFUoAdsPEin5BpKgWNxHVU+e0lSSuO8 btbkogjG3MvqfUF7RdGWQf4a2xslluf5X3ARBwI3RDzsPenx4zv0hu4UXl5/z967 NWhinVV6RxyLCdVDYRguyzljgYA7U38LmfSiuB1gtigZ8ipXXF2F+mJGfF70HNkS 5YkVCJVh3UL3LHKEtLsC9v1/CPRh2/fu0xjIj48NDzjqr31ENa22xk56hqaRAzXB lO5QmymMYK9k2VuNDI9WKFaKfnF+LVVhYyzbyNT/uGbFdIhrhF/f5rES -----END CERTIFICATE----- subject=C = US, O = Let's Encrypt, CN = R3 issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 -----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE----- This has a valid key usage, and passes DANE checks. > Actual debug output from the Exim system. I pointed out how best > to do that on the 2nd (assuming that the Exim system is the > accepting end for the connection). On the other hand, when SNI is not sent, a different certificate (single-element "chain") is presented, which does not match the TLSA records, and whose keyUsage does not include "Digital Signature", which is then not compatible with ephemeral DH and ECDH key exchange. X509v3 Key Usage: Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication This "default" certificate is: issuer=C = DE, ST = BW, L = Karlsruhe, O = Lindenberg, OU = Tests, CN = et.lindenberg.one notBefore=Jan 22 16:08:03 2022 GMT notAfter=Jan 17 16:08:03 2042 GMT subject=C = DE, ST = BW, L = Karlsruhe, O = Lindenberg, OU = Tests, CN = et.lindenberg.one -----BEGIN CERTIFICATE----- MIIDwzCCAqugAwIBAgIUMVU6QHs/gK55HDsB/Gpcnmjww3EwDQYJKoZIhvcNAQEL BQAwbzELMAkGA1UEBhMCREUxCzAJBgNVBAgMAkJXMRIwEAYDVQQHDAlLYXJsc3J1 aGUxEzARBgNVBAoMCkxpbmRlbmJlcmcxDjAMBgNVBAsMBVRlc3RzMRowGAYDVQQD DBFldC5saW5kZW5iZXJnLm9uZTAeFw0yMjAxMjIxNjA4MDNaFw00MjAxMTcxNjA4 MDNaMG8xCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzESMBAGA1UEBwwJS2FybHNy dWhlMRMwEQYDVQQKDApMaW5kZW5iZXJnMQ4wDAYDVQQLDAVUZXN0czEaMBgGA1UE AwwRZXQubGluZGVuYmVyZy5vbmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDesbdjo7+jUX94UO8vHlKgOzT9NRJWRO4u2jln3GrW6o8nvh2PxoZB9+Yj B8De/PF/rpVe35TAX5X1BLL23FSIw4k0xFy7xAvig8L8VO+fOt/X/yDWsEEfoWGu WT8Z/Q40OY0luIS2OUk9fwcwffUj3D/ZiXYHGxInTTaAqAVnsvI66cIMrw2orfUD 3GcsPIhVC/gdK3XaQLAPImzn2T+pCzmpUxiKI1P5wueRjEtMlq6hFFx4BG4I6qmi tjiQ4Unl13WtvBhKSkdGkI6u8RSboHNbYDzTlZk/ohWvUka2B0qNkCyHpohN1Tj1 G6wF2BSBJaDfdXSC6Nt2GMkKyrkHAgMBAAGjVzBVMAsGA1UdDwQEAwIEMDATBgNV HSUEDDAKBggrBgEFBQcDATAxBgNVHREEKjAoghMqLmV0LmxpbmRlbmJlcmcub25l ghFldC5saW5kZW5iZXJnLm9uZTANBgkqhkiG9w0BAQsFAAOCAQEAW/AmccWT7y8q kqWII119XuWxcb+97xrV+gaACp4eoPpdHbB3Uq74U9NdTk8SWkx9ykzOSvOhTpe+ iv4/X7PaasSrtdGHB5sm5uyPRlLNgFj+/QWako3xwynrKXDDuqBjb1YGqL8odYoU fVG5nb51PFL9WY5aNIVbxHCh9Z+xZOSHB1iUIhw+Onif3+Q2SScDaGjYfaTsoXwt ircLih7iaa4WtWDDuyecy9odk9O/sPmnUgOQXya4CNyEPxTfUCtldM7O4hQMev2c QfeIe45ridt/sEBzZzRt4pHC1Ja1WhQCbVhR4y7j4FPVDw0vzx4122gP3xvvU1i4 yN321Vsi2w== -----END CERTIFICATE----- So is sure seems like Exim DANE with GnuTLS fails to set the TLSA base domain as the SNI name, while the Exim with OpenSSL does take care of that... -- Viktor. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/