Bug#1043233: exim4-base: On-connect auto-generated self-signed certificates have expired end date

Björn Wiberg bjorn.wiberg at outlook.com
Mon Aug 7 19:23:00 BST 2023 

Package: exim4-base
Version: 4.96-15+deb12u1
Severity: normal

Hello,

When using built-in on-connect auto-generated self-signed certificates (i.e., not installing "real" SSL/TLS certificates), the ones that are auto-generated appear to have a date in the past (1970-01-01 02:00:00 UTC) as their end date:

glimmer:~$ gnutls-cli --starttls-proto=smtp 127.0.0.1
Processed 140 CA certificate(s).
Resolving '127.0.0.1:smtp'...
Connecting to '127.0.0.1:25'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=glimmer.localdomain,O=Exim Developers,C=UK', issuer `CN=glimmer.localdomain,O=Exim Developers,C=UK', serial 0x0100000000000000, RSA key 3072 bits, signed using RSA-SHA256, activated `2023-08-07 17:40:16 UTC', expires `1970-01-01 02:00:00 UTC', pin-sha256="40P5jkI8FD97/oh+CYdi4BJH1nfhpfk0BFH/25j3yK4="
        Public Key ID:
                sha1:179da7ef14d6fdcea2d6894405c3531976f5b4df
                sha256:e343f98e423c143f7bfe887e098762e01247d677e1a5f9340451ffdb98f7c8ae
        Public Key PIN:
                pin-sha256:40P5jkI8FD97/oh+CYdi4BJH1nfhpfk0BFH/25j3yK4=

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses expired certificate. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

glimmer:~$ openssl s_client -starttls smtp -connect 127.0.0.1:25 -showcerts < /dev/null
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = UK, O = Exim Developers, CN = glimmer.localdomain
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = UK, O = Exim Developers, CN = glimmer.localdomain
verify error:num=10:certificate has expired
notAfter=Jan  1 02:00:00 1970 GMT
verify return:1
depth=0 C = UK, O = Exim Developers, CN = glimmer.localdomain
notAfter=Jan  1 02:00:00 1970 GMT
verify return:1
---
Certificate chain
 0 s:C = UK, O = Exim Developers, CN = glimmer.localdomain
   i:C = UK, O = Exim Developers, CN = glimmer.localdomain
   a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  7 17:40:16 2023 GMT; NotAfter: Jan  1 02:00:00 1970 GMT
-----BEGIN CERTIFICATE-----
MIIECjCCAnKgAwIBAgIIAQAAAAAAAAAwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UE
BhMCVUsxGDAWBgNVBAoTD0V4aW0gRGV2ZWxvcGVyczEcMBoGA1UEAxMTZ2xpbW1l
ci5sb2NhbGRvbWFpbjAeFw0yMzA4MDcxNzQwMTZaFw03MDAxMDEwMjAwMDBaMEUx
CzAJBgNVBAYTAlVLMRgwFgYDVQQKEw9FeGltIERldmVsb3BlcnMxHDAaBgNVBAMT
E2dsaW1tZXIubG9jYWxkb21haW4wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
AoIBgQDGRNkITNJlkX7AuyCPPtsjyPXR0sPBi4AYCRAl+z6CDj5FnsS4Z9livnkj
gqImvcjPfCG4jgezIeOysrKMiDXKQ+qglVFRGrvEPBHyqdA1M184Ul3MqJhbhiKW
Gd1t9ApY8oaXE4KWQKMIaZccKWtGtwobe5RkqLbcCT3YzxXGiUIUogaYA1iaKlc+
08eCP4NoUZRpQG7Anl5QZAwrxqNx+VIc2rWcBl8QAXJ6+Fuo0QztXxEgYvKLZ3he
xgvT9d/Is5oOqHplzfuJTXlslDbyKCZICwwBiDg2zywa/B2ai769nJzTks1tOp10
2ZxtpV0qUV1QPH1nuus9hElEl6rzW7riI9ptrDQR8Jc3CmjCHcy6g8f+ZJTrB4Z3
sYwCXfZZo1W5nd+DNY9hhQatCYx5Tnz72vzOvRW+Jcjh6FMTEXi8akYvlFyXy+Op
4M5QKCoIPigOaUiu4+RAtKdV5sJJuBJ0VoF5T/K3QIfgWejdpORbxiZU4710FWAW
flBIl2UCAwEAATANBgkqhkiG9w0BAQsFAAOCAYEABpatvsQ+KjWFp+TskSYyVoib
Vsii1l2y99Dg6nxy8PGQz3hlt/olhIYwN3+X/DNL0Wrn6Rgx1HIeQICbMYryoKg3
Fv1+iqlLOtTYJ/kJJl1Gjx2PbOTrFlEcsP49dAHkHn+Jfvfb2k3LwsELv/Xs7+8N
qKp7lg+wwmEwCy5lAJDf/i9SF3kJFBm/HHt01MaHFpVo8zP02MoL2KRjBQOUAcRl
bxHkt7NZV+bpBFZxAJBJlJLqaCwwtYdfpgUytXxiOiHPOWBgL2vhBqGIuddha69W
6ISHD9auJuX1dxsyg7wWYhlt0P4JCPSXSfYx3vXY6kzQ3Snctwz3hVup4URsKtdJ
PvnEXUfLQwNE2Vg3Z4j6YL3y6xMFX0BpwiCIpgcRXv2KfoD/KG2NscXygXW+bYvb
3alu3U8KPVGFDToOleWmZ/1dCXZMv8fctsJD+tD3tvX07fEVa9TpI0tANM2tc0QH
BVVr/G5fBDmBcXc9ADmbUIT8yJ/JSXdCuskG35+M
-----END CERTIFICATE-----
---
Server certificate
subject=C = UK, O = Exim Developers, CN = glimmer.localdomain
issuer=C = UK, O = Exim Developers, CN = glimmer.localdomain
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1992 bytes and written 410 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 3072 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
250 HELP
DONE

I would have expected the auto-generated certificates to have at least some limited validity period.

Best regards
Björn


-- Package-specific info:
Exim version 4.96 #2 built 02-Jul-2023 12:56:17
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2022
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS TLS_resume move_frozen_messages DANE DKIM DNSSEC Event I18N OCSP PIPECONNECT PRDR Queue_Ramp SOCKS SRS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 external plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='local'
dc_other_hostnames='glimmer;localhost.localdomain'
dc_local_interfaces='127.0.0.1 ; ::1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
mailname:glimmer.localdomain
# /etc/default/exim4
EX4DEF_VERSION=''

# 'combined' -	 one daemon running queue and listening on SMTP port
# 'no'       -	 no daemon running the queue
# 'separate' -	 two separate daemons
# 'ppp'      -   only run queue with /etc/ppp/ip-up.d/exim4.
# 'nodaemon' - no daemon is started at all.
# 'queueonly' - only a queue running daemon is started, no SMTP listener.
# setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4
QUEUERUNNER='combined'
# how often should we run the queue
QUEUEINTERVAL='30m'
# options common to quez-runner and listening daemon
COMMONOPTIONS=''
# more options for the daemon/process running the queue (applies to the one
# started in /etc/ppp/ip-up.d/exim4, too.
QUEUERUNNEROPTIONS=''
# special flags given to exim directly after the -q. See exim(8)
QFLAGS=''
# Options for the SMTP listener daemon. By default, it is listening on
# port 25 only. To listen on more ports, it is recommended to use
# -oX 25:587:10025 -oP /run/exim4/exim.pid
SMTPLISTENEROPTIONS=''

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages exim4-base depends on:
ii  adduser                        3.134
ii  cron [cron-daemon]             3.0pl1-162
ii  debconf [debconf-2.0]          1.5.82
ii  exim4-config [exim4-config-2]  4.96-15+deb12u1
ii  libc6                          2.36-9+deb12u1
ii  libdb5.3                       5.3.28+dfsg2-1
ii  netbase                        6.4
ii  systemd-sysv                   252.12-1~deb12u1

Versions of packages exim4-base recommends:
ii  mailutils [mailx]  1:3.15-4
ii  psmisc             23.6-1

Versions of packages exim4-base suggests:
ii  emacs-nox [mail-reader]          1:28.2+1-15
pn  exim4-doc-html | exim4-doc-info  <none>
pn  eximon4                          <none>
ii  file                             1:5.44-3
ii  gnutls-bin                       3.7.9-2
ii  mailutils [mail-reader]          1:3.15-4
ii  openssl                          3.0.9-1
pn  spf-tools-perl                   <none>
pn  swaks                            <none>

-- debconf information:
  exim4-base/drec:
  exim4/purge_spool: false

More information about the Pkg-exim4-maintainers mailing list