Exim TLS troubles

S

sysdev

Verified User
Joined
Jul 16, 2007
Messages
440
I noticed a number of errors in my exim mainlog:

(SSL_accept): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

But ssllabs, dnssec, tlsa etc is all correct. I'm using Letsencrypt certs.

Anyone seen this before? Is a pretty basic DA install.
 
Not that I can think of. Which log are you seeing this in the exim log or messages.
 
In the exim mainlog. It looks like it's when another mailserver wants a tls to exim's port 25, my exim requests te remote client for a client cert, but after the client sends it, my exim is unable to validate it. (Because tls_verify_certificates is default empty).
 
I currently have not entries similar to this in the mainlog.:( sorry
 
That's no problem. Secure email connections are usually only used between a users client and the submit part of the mta, not between mta's themselves. But every now and then I see these messages and the sending mailserver refuses to send mail in plain text so this keeps hammering the server for 4 days after which delivery fails. And that sucks because it makes us look stupid... which we apparently are because otherwise we would have fixed it already :)
 
sysdev said:
routines:ssl3_read_bytes:tlsv1
Click to expand...
Doesn't this mean a connection is tried to be made at ssl3 via TLSv1 which is not enabled by default anymore?
I've found on the net that if a "tlsv1 alert unknown ca" it would mean the server did not accept the client certificate used. So client side error.
 
Richard G said:
Doesn't this mean a connection is tried to be made at ssl3 via TLSv1 which is not enabled by default anymore?
I've found on the net that if a "tlsv1 alert unknown ca" it would mean the server did not accept the client certificate used. So client side error.
Click to expand...
Yes, the client sends a certificate but afaik this is only if my server asks for a client cert first and then is unable to check this. Or something like that.
 
I've not that big an expertise on that, but if your server asks for a tls 1.2 certificate and client sends 1.0 then maybe it causes something like that.
So that would mean it's still the client who should fix this. Especially since you're server seems alright.

I presume you have all updated stuff like also these 2 lines in the /etc/exim.variables.conf
Code: 
tls_dhparam = /etc/exim_dh.pem
tls_dh_max_bits = 4096
 
Exim still drops secure mails on port 25 with 'tlsv1 alert unknown ca'. Even with 'tls_try_verify_hosts = *' which means that secure connections should still get accepted when the cert or chain is not valid.

Really would like a solution to this as it looks like an error in the default exim config.
 
I would add the word BUG -
in the title.

If you have support I would log a ticket.
 
Well, still not sure if it is a bug... I can find about zero usable solutions online about this. Tried a zillion thing with no luck...
 
sysdev said:
Really would like a solution to this as it looks like an error in the default exim config.
Click to expand...
But TLS v1 won't get accepted as far as I know. Don't you first have to change the directadmin.conf setting to achieve this?
Try this in directadmin.conf:
ssl_cipher= (check if empty or put in your custom ones to allow this traffic)

and to allow tls v1, this one in options.conf:
ssl_configuration=old

Probably need to build some stuff (like rewrite_confs) after doing any of these changes.
 
Richard G said:
But TLS v1 won't get accepted as far as I know. Don't you first have to change the directadmin.conf setting to achieve this?
Try this in directadmin.conf:
ssl_cipher= (check if empty or put in your custom ones to allow this traffic)

and to allow tls v1, this one in options.conf:
ssl_configuration=old

Probably need to build some stuff (like rewrite_confs) after doing any of these changes.
Click to expand...
True as far as I know.
 
That would only change the ciphers. But the error is about the CA. I think.. a secure client is sending an client-certificate and exim is unable the verify the ca of that certificate. So, e.g. your secure client sends an email and includes his Thawte certificate, my exim should be able to check the ca against it's trusted ca certs. And that seems to fail. Now, afaik exim has no ssl code and delegates this to openssl.

I'm now trying the tls_verify_certificates = /etc/ssl/certs option. Need to wait until the remote server retries to send is again.

Edit: which it did and failed again with the same error... bloody bollocks... :)
 
Plesk solution
support.plesk.com

Unable to send mail via SSL: warning: TLS library problem: 31990

Applicable to: Plesk for Linux Symptoms Unable to connect mail client on SMTPS port 465/993 SSL/TLS connection. Mail client displays the error: Your server has unexpectedly terminated the co...
support.plesk.com support.plesk.com

serverfault.com

What does "tlsv1 alert unknown ca" mean?

I am trying to do a curl request using a client certificate like so: curl -E my.pem https://some.site And I get the following error message: curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES...
serverfault.com serverfault.com

stackoverflow.com

SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

I'm trying to setup Nginx reserve proxy which redirect to a specific host that requires certificate for proper functionality. But I get this error when I hit the endpoint from the browser: 2020/11/...
stackoverflow.com stackoverflow.com

curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

michaelheap.com michaelheap.com
 
Yeah, well, I have valid certs, up2date ca-certificates etc... and half of the answers state it's the clients fault in not sending the right cert/chain, others say it's the servers fault in checking the ca. But I'd like at least a 'they fucked up'/'you fucked up' answer.
 
sysdev said:
Yeah, well, I have valid certs, up2date ca-certificates etc... and half of the answers state it's the clients fault in not sending the right cert/chain, others say it's the servers fault in checking the ca. But I'd like at least a 'they fucked up'/'you fucked up' answer.
Click to expand...
I know but I am just trying to help you find and possible answer.
 
I appreciate that, but i've seen al those 'solutions' already before I posted the question. I might switch a server to plesk or whatever to see if that solves it.
 
You must log in or register to reply here.
Back
Top