Thank you for the various replies! Viktor wrote:
>> 2022-11-21 21:10:42 TLS error on connection from >> r218.notifications.rbs.co.uk [130.248.154.218] (gnutls_handshake): A TLS >> fatal alert has been received. > >OpenSSL would usually log the alert number (and associated text string), >from which one could infer more information about what the remote client >is unhappy about. I'd hope that GnuTLS could also log this (or make the >alert info available to Exim to optionally log). Hopefully if I set it correctly, per Jeremy's reply below, it will. >That said, the most common issues that remote clients are unhappy about >are untrusted certificates and expired certificates. Perhaps you have a >Let's Encrypt certificate chain that includes a cross cert to the now >expired DST Root CA (for Android compatibility). You can configure >certbot et. al. to build a chain that skips the cross cert, expecting >clients to support the ISRG root. >If the server in question is "london.jcbradfield.org", then another >potential issue is a missing intermediate issuer certificate. Your >certificate chain has only the leaf server certificate without the >required "R3" intermediate issuer certificate. If using certbot, use >"fullchain.pem" not "cert.pem" (or the equivalent for a different >setup). Indeed. That's only been the case recently. For the last 20 years, I've been presenting a self-signed certificate and had never noticed any problems. A few days ago I happened to notice my bank getting these TLS fatal alerts and then *not* falling through to plain text, which most others do. So I started experimenting, but hadn't yet got as far as giving the full chain (largely, I admit, because I don't have certification internalized, and just follow recipes). Jeremy wrote: >The gnutls library helpfully (I infer) reads the environment at >process startup, too early for the config-driven addition of that >variable. Try having the thing firing off the exim process >adding to the environment instead. You'll need to add it >to keep_environment. Thanks! Should have thought of that. >Alternatively, since you know there's an alert involved, go down >the packet capture route. You'll need to >add_environment = SSLKEYLOGFILE=<SOME_DIRECTORY>/sslkeys >and tell wireshark where to pick them up >(edit/pref/protocols/tls/ Master Secret Log filename) Ugh. Hopefully not... Presumably that would also have to be done by setting it before exim start. >Oh, yes, do ensure you're running with Exim's debug facilities >enabled. Commandline option or ACL modifier. Tried that. Debug +tls gave nothing useful. Kirill wrote: something in base64 which got saved as such:) (Anybody know a newsreader which supports following up to multiple article at once?) Asking I think for any information, as he sees something similar. Will do. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
