Bug#1134984: GNUTLS certificate validation incompatible with certificates lacking a commonName attribute
Andreas Metzler
ametzler at bebt.de
Sun Apr 26 18:02:08 BST 2026
Source: exim4
Version: 4.96-15+
Severity: normal
Forwarded: https://code.exim.org/exim/exim/issues/3215
This is a tracking bug, we want to fix this for stable and perhaps for
oldstable, too
Excerot from the mesages on exim-dev follows
https://lists.exim.org/lurker/message/20260413.184322.ecbabb9e.en.html
----- Forwarded message from adsbarratt via Exim-dev <exim-dev at lists.exim.org> -----
We discovered that TLS connections to some hosts were failing.
After some investigation, the common factor appears to be that the
certificate provided by the destination server is lacking a commonName
attribute. This causes verify_certificate() to return e.g.:
DANE attempt failed; TLS connection to [HOST]: (certificate verification
failed): certificate not supplied
Such certificates may be generated by e.g. the use of LetsEncrypt's
"tlsserver" profile - https://letsencrypt.org/docs/profiles/#tlsserver
The CAB Forum now recommends not including commonName, as per
https://github.com/cabforum/servercert/blob/main/docs/BR.md#71272-domain-validated
[...]
16:02:59 702757 gethostbyname2 looked up these IP addresses:
16:02:59 702757 name=pf.adam-barratt.org.uk address=2a03:9800:10:246::2
16:02:59 702757 name=pf.adam-barratt.org.uk address=188.246.206.241
16:02:59 702757 2a03:9800:10:246::2 in tls_verify_hosts? yes (matched "pf.adam-barratt.org.uk")
16:02:59 702757 2a03:9800:10:246::2 in tls_verify_cert_hostnames? yes (matched "*")
16:02:59 702757 TLS: server cert verification includes hostname: "pf.adam-barratt.org.uk"
16:02:59 702757 TLS: server certificate verification required
16:02:59 702757 TLS: will request OCSP stapling
16:02:59 702757 2a03:9800:10:246::2 in tls_resumption_hosts? no (option unset)
16:02:59 702757 about to gnutls_handshake
16:02:59 702757 (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM)
16:02:59 702757 To get keying info for TLS1.3 is hard:
16:02:59 702757 Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory,
16:02:59 702757 and make sure it is writable by the Exim runtime user.
16:02:59 702757 Add SSLKEYLOGFILE to keep_environment in the exim config.
16:02:59 702757 Start Exim as root.
16:02:59 702757 If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers
16:02:59 702757 (works for TLS1.2 also, and saves cut-paste into file).
16:02:59 702757 Trying to use add_environment for this will not work
16:02:59 702757 TLS: checking peer certificate
16:02:59 702757 TLS: peer cert problem: getting size for cert DN failed: The requested data were not available.
16:02:59 702757 TLS certificate verification failed (certificate not supplied): peerdn="<unset>"
16:02:59 702757 TLS session fail: (certificate verification failed): certificate not supplied
16:02:59 702757 SMTP(close)>>
16:02:59 702757 cmdlog: '220:EHLO:250-:STARTTLS:220'
16:02:59 702757 set_process_info: 702757 delivering 1wCfI2-002woi-2Z: just tried pf.adam-barratt.org.uk [2a03:9800:10:246::2] for adam at pf.adam-barratt.org.uk: result DEFER
16:02:59 702757 added retry item for T:pf.adam-barratt.org.uk:2a03:9800:10:246::2: errno=-37 more_errno=0,A flags=2
More information about the Pkg-exim4-maintainers
mailing list