On Sat, 13 Jul 2024, Wolfgang via Exim-users wrote:
Hello Viktor, Hello Jeremy,
and all others helping me, to find the problem with my exim not able to deliver
to the
https://blog.lindenberg.one/EmailSecurityTest .
I tried now a lot of things, and learned a lot about debugging this kind of
error.
As the biggest problem lies into the test-mechanism, which introduces all kinds
of simulated errors,
no offering of STARTTLS etc., it was hard, teting against that.
So finally I have created a testenvironment, which had all the destinations
with and without DANE,
letsencrypt etc. I created identical looking self signed certs, removed the
usual BasicConstraints
CA=FALSE, which all my self-signed certs have, so my cert looked just the same.
But I could deliver to any of my systems destinations, after my DANE-DNSSEC
problem was fixed.
So I went another way, diving into the command line tools of GnuTLS, instead of
OpenSSL, which was
as long my tools for all those tests. But as the error only occured in GnuTLS,
those tools could
help me:
Testing the test-systems self-signed cert, I needed to start some tries, till I
got finally STARTTLS
offered, and there was a single line more, as in the exim debug output:
gnutls-cli -d 9999 -V -p 25 85.215.77.84 --starttls-proto=smtp
ASSERT: ../../lib/tls-sig.c[_gnutls_check_key_usage_for_sig]:58
Peer's certificate does not allow digital signatures. Key usage violation
detected.
*** Fatal error: Key usage violation in certificate has been detected
Doing the same to my test-destination for the self-signed cert:
gnutls-cli -d 9999 -V -p 25 78.46.150.68 --starttls-proto=smtp
Status: The certificate is NOT trusted. The name in the certificate does not
match the expected.
*** Fatal error: Error in the certificate
reads totally different, as my current test exim would even accept a non
matching name.
No other error popped out.
Ok, I compared the the certs again and they just looked identical:
X.509 Certificate Information:
X.509 Certificate Information:
Version: 3
Version: 3
Serial Number (hex): 1780f0f593e5c453adbb0ace8a352a65f85d9da7
Serial Number (hex):
31553a407b3f80ae791c3b01fc6a5c9e68f0c371
Issuer: OU=GnuTLS test,O=xxxxxxxxxxxxxxx,L=Karlsruhe,ST=BW,C=DE
Issuer:
CN=et.lindenberg.one,OU=Tests,O=Lindenberg,L=Karlsruhe,ST=BW,C=DE
Hmm. One Issuer has a CN field, the other does not ?
Validity:
Validity:
Not Before: Sat Jul 13 18:08:35 UTC 2024
Not Before: Sat Jan 22 16:08:03
UTC 2022
Not After: Tue Jul 11 18:08:35 UTC 2034
Not After: Fri Jan 17 16:08:03 UTC
2042
Subject: CN=xxxxxxx.sxxxxxxxxxxxxxx.de,OU=GnuTLS
test,O=xxxxxxxxxxxxxx,L=Karlsruhe,ST=BW,C=DE Subject:
CN=et.lindenberg.one,OU=Tests,O=Lindenberg,L=Karlsruhe,ST=BW,C=DE
Subject Public Key Algorithm: RSA
Subject Public Key Algorithm: RSA
This is nearly unreadable.
Could you send a `diff -u` of the two certs/files/outouts ?
Thanks,
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
