[From nobody Sun May 3 17:34:06 2026 Received: (at submit) by bugs.debian.org; 26 Apr 2026 17:02:18 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=4.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,SPF_HELO_NONE,SPF_NONE, X_DEBBUGS_CC autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 87; hammy, 149; neutral, 121; spammy, 1. spammytokens:0.998-1--0,a hammytokens:0.000-+--tls13, 0.000-+--TLS13, 0.000-+--tls1.3, 0.000-+--TLS1.3, 0.000-+--H*F:U*ametzler Return-path: <ametzler@bebt.de> Received: from vsrv21575.customer.vlinux.de ([31.15.64.248]:39986) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <ametzler@bebt.de>) id 1wH2s3-003nv5-18 for submit@bugs.debian.org; Sun, 26 Apr 2026 17:02:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bebt.de; s=d2; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date:From:Sender :Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:In-Reply-To: References; bh=8hjaZLTmP/Dv3cC277Q6pPoIan2nw20AXWSg2RMLob4=; b=m407sfD0PnA1EC Y8mOJnQHqn3ALiDNaVpNyzgYX6XDKereVC7kiW7Fgwp+jZkhplEWzBQF7plRTBMiUvLRuTvFefUjf 7gOisUQ+BSmHDkZ96R0OaTB1PbaytnKNMLlZPJGVsrl0/RPlML+EK7Ttpf+A0Ht8z/WBsLl9j/3xJ BLDLNNLSg7gVpldwR/dXAEj+lYgqfoNJlDEzZxEKDk80UqQ+8ukUuoU8h/j/MxtcEcDRk28zC+gz8 liH/9ZpY5Fdkoe5AC3X4xfvRVvEqBa6XFCR42HsssGEb2DrZL3BsrJFnjroBuu2Gg163JAG569Sx+ 2XsiDMDJKOo/8n4mDMJQ==; Received: from [41.66.122.96] (helo=argenau.bebt.de) by vsrv21575.customer.vlinux.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.99.1) (envelope-from <ametzler@bebt.de>) id 1wH2ry-00000005r0h-0D45 for submit@bugs.debian.org; Sun, 26 Apr 2026 17:02:11 +0000 Received: from [::1] (helo=argenau.bebt.de) by argenau.bebt.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.99.1) (envelope-from <ametzler@bebt.de>) id 1wH2rx-00000000YDw-1k0M for submit@bugs.debian.org; Sun, 26 Apr 2026 19:02:09 +0200 Date: Sun, 26 Apr 2026 19:02:08 +0200 From: Andreas Metzler <ametzler@bebt.de> To: submit@bugs.debian.org Subject: GNUTLS certificate validation incompatible with certificates lacking a commonName attribute Message-ID: <ae5FED26tcwYy2Y_@argenau.bebt.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Debbugs-Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk> Delivered-To: submit@bugs.debian.org Source: exim4 Version: 4.96-15+ Severity: normal Forwarded: https://code.exim.org/exim/exim/issues/3215 This is a tracking bug, we want to fix this for stable and perhaps for oldstable, too Excerot from the mesages on exim-dev follows https://lists.exim.org/lurker/message/20260413.184322.ecbabb9e.en.html ----- Forwarded message from adsbarratt via Exim-dev <exim-dev@lists.exim.org> ----- We discovered that TLS connections to some hosts were failing. After some investigation, the common factor appears to be that the certificate provided by the destination server is lacking a commonName attribute. This causes verify_certificate() to return e.g.: DANE attempt failed; TLS connection to [HOST]: (certificate verification failed): certificate not supplied Such certificates may be generated by e.g. the use of LetsEncrypt's "tlsserver" profile - https://letsencrypt.org/docs/profiles/#tlsserver The CAB Forum now recommends not including commonName, as per https://github.com/cabforum/servercert/blob/main/docs/BR.md#71272-domain-validated [...] 16:02:59 702757 gethostbyname2 looked up these IP addresses: 16:02:59 702757 name=pf.adam-barratt.org.uk address=2a03:9800:10:246::2 16:02:59 702757 name=pf.adam-barratt.org.uk address=188.246.206.241 16:02:59 702757 2a03:9800:10:246::2 in tls_verify_hosts? yes (matched "pf.adam-barratt.org.uk") 16:02:59 702757 2a03:9800:10:246::2 in tls_verify_cert_hostnames? yes (matched "*") 16:02:59 702757 TLS: server cert verification includes hostname: "pf.adam-barratt.org.uk" 16:02:59 702757 TLS: server certificate verification required 16:02:59 702757 TLS: will request OCSP stapling 16:02:59 702757 2a03:9800:10:246::2 in tls_resumption_hosts? no (option unset) 16:02:59 702757 about to gnutls_handshake 16:02:59 702757 (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM) 16:02:59 702757 To get keying info for TLS1.3 is hard: 16:02:59 702757 Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory, 16:02:59 702757 and make sure it is writable by the Exim runtime user. 16:02:59 702757 Add SSLKEYLOGFILE to keep_environment in the exim config. 16:02:59 702757 Start Exim as root. 16:02:59 702757 If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers 16:02:59 702757 (works for TLS1.2 also, and saves cut-paste into file). 16:02:59 702757 Trying to use add_environment for this will not work 16:02:59 702757 TLS: checking peer certificate 16:02:59 702757 TLS: peer cert problem: getting size for cert DN failed: The requested data were not available. 16:02:59 702757 TLS certificate verification failed (certificate not supplied): peerdn="<unset>" 16:02:59 702757 TLS session fail: (certificate verification failed): certificate not supplied 16:02:59 702757 SMTP(close)>> 16:02:59 702757 cmdlog: '220:EHLO:250-:STARTTLS:220' 16:02:59 702757 set_process_info: 702757 delivering 1wCfI2-002woi-2Z: just tried pf.adam-barratt.org.uk [2a03:9800:10:246::2] for adam@pf.adam-barratt.org.uk: result DEFER 16:02:59 702757 added retry item for T:pf.adam-barratt.org.uk:2a03:9800:10:246::2: errno=-37 more_errno=0,A flags=2 ]