On Thu, 4 Sep 2025, Viktor Dukhovni via Exim-users wrote: > On Wed, Sep 03, 2025 at 11:44:23AM +0100, Mark Hills via Exim-users wrote: > > > 59213 SSL SSL_accept,state_chg: SSLv3/TLS write certificate request > > The server requests a client certificate. > > > 59213 SSL SSL_accept,state_chg: SSLv3/TLS read client certificate > > The server reads the client's response, > > > 59213 CLIENT_TRAFFIC_SECRET_0 > > 4834841eb4cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > e3c12a3feb660dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > 59213 SSL SSL_accept,state_chg: SSLv3/TLS read finished > > But then immediately moves to the "finished" state. I don't see any > attempt to read the client's certificate verify messagge, so I don't > think the client sent a certificate (it sent an empty certificate > message). > > Whatever certificate the client had on hand was not actually sent. > > > 59213 using ACL "acl_check_rcpt" > > [...] > > 59213 processing "accept" (/usr/local/etc/exim/configure 169) > > 59213 check verify = certificate > > 59213 accept: condition test failed in ACL "acl_check_rcpt" > > 59213 processing "warn" (/usr/local/etc/exim/configure 174) > > 59213 check verify = certificate > > 59213 warn: condition test failed in ACL "acl_check_rcpt" > > 59213 processing "require" (/usr/local/etc/exim/configure 186) > > 59213 message: relay not permitted > > 59213 check domains = +local_domains : +relay_to_domains > > It would then not be surprising that certificate verification fails.
Thanks for your assistance, this got me on the right path. It turns out another user [*] already reported and traced this problem. That 'other' user was actually me, in early 2024, on a different OS (I can only apologise for juggling too many things, and having no deja-vu here) The solution is the same: opensmtpd no longer offers its certificate without a "pki" keyword. Returning to Exim, this does question whether there could be more debug information on +tls_certificate_verified? In both this thread and the previous one from 2024 relied on some custom rules for logging. Attempting "verify = certificate" with no certificate from the client could raise a message in the detailed logs (rather than having to rely on the absence of a message/step -- and other users to point it out) Thanks again for your assistance. [*] https://lists.exim.org/lurker/message/20240512.131848.1ea93122.en.html -- Mark -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
