Mailing List Archive

DANE(TA) doesn't work with self signed certificates
Hello Exim-users-list,

shortly we introduced DANE but soon afterwards we detected problems
sending mails to domains using DANE(TA) with self signed certificates.
Using Exim 4.91 with GnuTLS 3.5.18 (Ubuntu 18.04) here is our setting:

dns_dnssec_ok = 1

...

begin routers

...

world:
driver = dnslookup
domains = !+local_domains
transport = remote_smtp
dnssec_request_domains = *
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8

begin transports

...

remote_smtp:
driver = smtp
tls_require_ciphers = NORMAL
hosts_try_dane = *
connect_timeout = 1m

According to the logfiles Exim complains about the certificates:
"R=world T=remote_smtp defer (-37) H=xyz [1.2.3.4]: TLS session:
(certificate verification failed): certificate invalid". Even switching
to debug level doesn't give further informations. The TLSA record suits
the CA certificate and the remote server delivers the complete
certificate chain. On this side everything seems to be okay.

Once the self signed certificate is added to the operating system's
certificate store everything works fine. Contrary, after removing a well
known CA certificate from this store, sending mails to DANE aware
domains using DANE(TA) and the corresponding CA certificate fails with
the error specified above.

Any help is much appreciated. It could be Exim's DANE implementation or,
most likely, a fault in our configuration.

Kind regards

++Michael Westerburg

--
Dr. Michael Westerburg ................. http://www.rz.uni-augsburg.de
Universit├Ąt Augsburg, Rechenzentrum ............. Tel. (0821) 598-2004
86135 Augsburg .................................. Fax. (0821) 598-2028

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificates [ In reply to ]
On 09/04/2018 01:26 PM, Michael Westerburg via Exim-users wrote:
> problems
> sending mails to domains using DANE(TA) with self signed certificates.

> Once the self signed certificate is added to the operating system's
> certificate store everything works fine. Contrary, after removing a well
> known CA certificate from this store, sending mails to DANE aware
> domains using DANE(TA) and the corresponding CA certificate fails

As the docs say:

"DANE-TA usage is effectively declaring a specific CA to be used; this
might be a private CA or a public, well-known one."

That CA needs to be known by the Exim configuration.

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificates [ In reply to ]
> On Sep 4, 2018, at 8:52 AM, Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
>
> As the docs say:
>
> "DANE-TA usage is effectively declaring a specific CA to be used; this
> might be a private CA or a public, well-known one."
>
> That CA needs to be known by the Exim configuration.

Sorry, that's simply wrong. Exim MUST support validation via
DANE-TA(2) trust-anchors that ARE NOT configured locally. Indeed
Exim SHOULD ignore the local trust-anchors when validating usage
DANE-TA(2) TLSA records. All that's required is that the remote
server include the trust-anchor certificate in its TLS certificate
message.

If Exim is to claim DANE support it MUST either correctly handle
non-public trust-anchors, or else MUST ignore "unusable" TLSA
RRsets that contain DANE-TA(2) TLSA records. Indeed even "mixed"
TLSA RRsets with some DANE-EE(3) records and some DANE-TA(2)
records should probably be ignored until this issue (if not user
error), because quite often only the DANE-TA(2) records are valid.

My advice to the user would be to use a version of Exim that
is linked with OpenSSL and NOT GnuTLS. The Exim DANE support
in combination with GnuTLS is not nearly as well tested or
supported.

--
Viktor.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificates [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I had the same problem some days ago.

I do not trust any CA, so no CA is in my truststore. However, some days
ago, I posted to lists.gentoo.org. They have a valid TLSA entry but exim
told me that it can't be validated so the mail stuck in queue.

After I enabled (themporarily) the random CA they use, I got a
successfull delivery with the log file saying that it was validated via
DANE.

Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAluPcA4ACgkQpnwKsYAZ
9qxBuwv+PXb28hX+iruTzQ2PhqDSYze5BFwiLIx3PP15O0Sx6D8WEIhDQ4N9hWWu
+91GGAJo40Uhgmsrz+a970jBXRBB9UNGnc/gGsMdxGu9KWIwZGjXq8lbC6P5nLxI
S15qClKNfdRlKQYp+qTMUyKmXBagd/QLWFYQubQmSk8xVlsfap9Z5lp44Faa780f
oGvhdBAmp/Dk6G5h5yTV4vgGsOpeYmGZ96gYnNQouL+wwd2Mq7vW9+bN+XBg8z2J
nra6lwI/DK06wKlXXCu366MiZlTrsggxAGqK7MugK4sb8mz3dMafcq/7uWVZloGp
bnsj+xzoCtjfq1YPJyAX6ycaeyhW/tcp7f8jU1eT/od3GT/CDrC6ssOsQRSAp/8r
SBWs1L8EedSj3IJBXaGQ/ZCkYy7Mf7WxjIDbgEtxI6UGNUmXUzetvUTAqmOaW7P2
7VvF+aR1RCvT1hGrRmzMpHQhFKBrolVqaprOgsEaNR/cSPSWIypyzKyHgSACzWBW
gkqsJjFA
=pVvL
-----END PGP SIGNATURE-----

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificates [ In reply to ]
> On Sep 5, 2018, at 1:56 AM, Klaus Ethgen via Exim-users <exim-users@exim.org> wrote:
>
> I had the same problem some days ago.
>
> I do not trust any CA, so no CA is in my truststore. However, some days
> ago, I posted to lists.gentoo.org. They have a valid TLSA entry but exim
> told me that it can't be validated so the mail stuck in queue.
>
> After I enabled (themporarily) the random CA they use, I got a
> successfull delivery with the log file saying that it was validated via
> DANE.

For now, switch a version of Exim that is compiled with OpenSSL.
There's nothing wrong with your original configuration or with
gentoo.org's DANE TLSA records. The issue is that Exim with GnuTLS
does not presently seem to handle DANE-TA(2) correctly.

Abbreviated trace from my DANE survey engine (the certificate issuer
is "Let's Encrypt Authority X3"):

gentoo.org. IN MX 10 mail.gentoo.org. ; NoError AD=1
_25._tcp.mail.gentoo.org. IN CNAME postfix-tlsa.woodpecker.gentoo.org. ; NoError AD=1
postfix-tlsa.woodpecker.gentoo.org. IN CNAME generic-letsencrypt.tlsa.gentoo.org. ; NoError AD=1
generic-letsencrypt.tlsa.gentoo.org. IN TLSA 2 1 1 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b ; NoError AD=1
generic-letsencrypt.tlsa.gentoo.org. IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ; NoError AD=1
mail.gentoo.org[140.211.166.183]: pass: TLSA match: depth = 1, name = mail.gentoo.org
depth = 1
pkey sha256 [matched] <- 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
depth = 2
pkey sha256 [matched] <- 2 1 1 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b
mail.gentoo.org[2001:470:ea4a:1:5054:ff:fec7:86e4]: pass: TLSA match: depth = 1, name = mail.gentoo.org
depth = 1
pkey sha256 [matched] <- 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
depth = 2
pkey sha256 [matched] <- 2 1 1 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b

--
--
Viktor.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificates [ In reply to ]
Hi Viktor,

Looking at this reported issue, trying to set up a testcase in the Exim
testsuite for it...

I've gotten as far as a failure in the OpenSSL-linked version. It dies
apparently disliking a selfsigned cert, specifically:


21:42:14 19586 Calling SSL_connect
21:42:14 19586 SSL info: before SSL initialization
21:42:14 19586 SSL info: before SSL initialization
21:42:14 19586 SSL info: SSLv3/TLS write client hello
21:42:14 19586 SSL info: SSLv3/TLS write client hello
21:42:14 19586 SSL info: SSLv3/TLS read server hello
21:42:14 19586 Dane verify_cert
21:42:14 19586 verify_callback_client_dane: BAD depth 0 /CN=Jeremy
Harris/OU=Test Suite/O=The Exim Maintainers/C=UK
21:42:14 19586 - err 18 'self signed certificate'
21:42:14 19586 SSL info: SSLv3/TLS read server certificate
21:42:14 19586 SSL info: error
21:42:14 19586 Dane lib-cleanup
21:42:14 19586 LOG: MAIN
21:42:14 19586 DANE attempt failed; TLS connection to
dane256tas.test.ex [192.168.0.223]: (SSL_connect): error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed


The routine verify_callback_client_dane() looks like:

static int
verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
{
X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
uschar dn[256];
int depth = X509_STORE_CTX_get_error_depth(x509ctx);

X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
dn[sizeof(dn)-1] = '\0';

DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
preverify_ok ? "ok":"BAD", depth, dn);
...
}



I'm assuming I've missed something out from the cert I've put together?
It has
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
BD:A7:5A:CD:CF:97:66:FC:52:5D:20:3D:50:A9:A6:01:09:39:48:81
X509v3 Authority Key Identifier:

keyid:BD:A7:5A:CD:CF:97:66:FC:52:5D:20:3D:50:A9:A6:01:09:39:48:81

X509v3 Subject Alternative Name:
DNS:test.ex


Any ideas?
--
Thanks,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificates [ In reply to ]
On 9/4/18 1:26 PM, Michael Westerburg via Exim-users wrote:
> shortly we introduced DANE but soon afterwards we detected problems
> sending mails to domains using DANE(TA) with self signed certificates.
> Using Exim 4.91 with GnuTLS 3.5.18 (Ubuntu 18.04) here is our setting:

> According to the logfiles Exim complains about the certificates:
> "R=world T=remote_smtp defer (-37) H=xyz [1.2.3.4]: TLS session:
> (certificate verification failed): certificate invalid". Even switching
> to debug level doesn't give further informations. The TLSA record suits
> the CA certificate and the remote server delivers the complete
> certificate chain. On this side everything seems to be okay.

I've managed to reproduce the situation in the Exim testsuite.
With the current master branch, built with OpenSSL it works fine;
built with GnuTLS (v 3.6.3 on Fedora 28) it does not.

[testcases 5822, 5842 for anyone following along at home...]

This is with a selfsigned cert on the server, with "CA" extension
and a wildcard SAN covering the server dns name.

The call into GnuTLS which does not succeed is dane_verify_crt_raw();
it seems to be claiming that the list of one TLSA record we feed
it has none suitable for use. There is, unfortunately, no debug
output for its internal workings even with the usual GnuTLS library
debug level at "9".


TA (2 1 1) fails in the same way.

An EE-mode (3 1 1) works ok, so that's one possible workaround.
A LetsEncrypt cert rather than a selfsigned might be another.

I've not tried the gentoo.org case.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificates [ In reply to ]
> On Sep 4, 2018, at 8:26 AM, Michael Westerburg via Exim-users <exim-users@exim.org> wrote:
>
> Hello Exim-users-list,
>
> shortly we introduced DANE but soon afterwards we detected problems
> sending mails to domains using DANE(TA) with self signed certificates.
> Using Exim 4.91 with GnuTLS 3.5.18 (Ubuntu 18.04) here is our setting:

For the record, your terminology is misleading. Self-signed certificate
is usually taken to mean that the server's certificate is not issued
by any CA at all, and is simply signed with its own key.

It seems you mean a "private" issuer CA, or any root CA that is not
included in the local trust store used for non-DANE verification.

Your report really should also be specific about which destination
domain you're having trouble with and what the TLSA records were
at the time.

--
Viktor.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificates [ In reply to ]
> On Sep 9, 2018, at 10:47 AM, Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
>
> I've managed to reproduce the situation in the Exim testsuite.
> With the current master branch, built with OpenSSL it works fine;
> built with GnuTLS (v 3.6.3 on Fedora 28) it does not.

I did not expect DANE-TA(2) TLSA records to match a depth 0
self-signed "CA" cert. If it works, it is an implementation
choice, not something required by the specification. The
OpenSSL 1.1.x DANE implementation will not match in this case.

I forgot that that the danessl code I contributed that handles
DANE for OpenSSL 1.0.x does match in this case, as a concession
to users who decide to be that creative. Perhaps I should not
have been so liberal.

https://github.com/vdukhovni/ssl_dane/blob/master/danessl.c#L580-L588

That code originated in Postfix, where it seems degenerate depth 0
self-signed CAs are also supported. Seems at the time I wanted to
make every reasonable effort to match if possible, effectively
interpreting the "2 1 1" as a "3 1 1". I don't see any of these
in the wild, and support for this edge-case could be removed.

https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dane.c#L1746-L1762

However, nobody can complain if it fails to work, this edge-case
is not supported by the standards.

I think the OP here actually has trouble with a real CA.

--
Viktor.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificates [ In reply to ]
Hello Viktor,

On 09/09/2018 07:48 PM, Viktor Dukhovni via Exim-users wrote:
>
>
>> On Sep 4, 2018, at 8:26 AM, Michael Westerburg via Exim-users <exim-users@exim.org> wrote:
>>
>> Hello Exim-users-list,
>>
>> shortly we introduced DANE but soon afterwards we detected problems
>> sending mails to domains using DANE(TA) with self signed certificates.
>> Using Exim 4.91 with GnuTLS 3.5.18 (Ubuntu 18.04) here is our setting:
>
> For the record, your terminology is misleading. Self-signed certificate
> is usually taken to mean that the server's certificate is not issued
> by any CA at all, and is simply signed with its own key.

thanks for the correction. This is not situation here.

> It seems you mean a "private" issuer CA, or any root CA that is not
> included in the local trust store used for non-DANE verification.

But this is. You are absolutely right. Sorry for my misleading description.

> Your report really should also be specific about which destination
> domain you're having trouble with and what the TLSA records were
> at the time.

The domain is : bayern.de

$ dig +short -t mx bayern.de
10 mail.bayern.de.
$ dig +short -t tlsa _25._tcp.mail.bayern.de.
2 0 1 32A2BC1D515CDBC412B62B47A1CCCF2BB1B8E3EF309F982458D3A7C6 1797422A
$ echo | openssl s_client -crlf -showcerts -starttls smtp -connect
mail.bayern.de:25

The last command proofs that the mail-server delivers the whole chain
which consists of a self signed certificate "CN=Bayerische DANE-CA" plus
the server certificate "CN=mail.bayern.de". By extracting the self
signed certificate from the output above one can easily confirm the
TLSA. So everything seems to be okay, except the two log messages:

2018-09-10 11:12:24.925 1fzIF5-00070c-KS DANE attempt failed; TLS
connection to mail.bayern.de [195.200.70.95]: (certificate verification
failed): certificate invalid
2018-09-10 11:12:26.128 1fzIF5-00070c-KS DANE attempt failed; TLS
connection to mail.bayern.de [195.200.70.104]: (certificate verification
failed): certificate invalid

Adding the self signed certificate to the local trust store solves the
problem.

++Michael

--
Dr. Michael Westerburg ................. http://www.rz.uni-augsburg.de
Universit├Ąt Augsburg, Rechenzentrum ............. Tel. (0821) 598-2004
86135 Augsburg .................................. Fax. (0821) 598-2028

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificates [ In reply to ]
On Mon, Sep 10, 2018 at 11:30:03AM +0200, Michael Westerburg wrote:

> > It seems you mean a "private" issuer CA, or any root CA that is not
> > included in the local trust store used for non-DANE verification.
>
> You are absolutely right. Sorry for my misleading description.
>
> > Your report really should also be specific about which destination
> > domain you're having trouble with and what the TLSA records were
> > at the time.
>
> The domain is : bayern.de

Thanks. That helps.

> The last command proofs that the mail-server delivers the whole chain
> which consists of a self signed certificate "CN=Bayerische DANE-CA" plus
> the server certificate "CN=mail.bayern.de". By extracting the self
> signed certificate from the output above

And yet, you persisted... :-) Let's call that the "issuer" certificate.

> one can easily confirm the
> TLSA. So everything seems to be okay, except the two log messages:
>
> 2018-09-10 11:12:24.925 1fzIF5-00070c-KS DANE attempt failed; TLS
> connection to mail.bayern.de [195.200.70.95]: (certificate verification
> failed): certificate invalid
> 2018-09-10 11:12:26.128 1fzIF5-00070c-KS DANE attempt failed; TLS
> connection to mail.bayern.de [195.200.70.104]: (certificate verification
> failed): certificate invalid

With "posttls-finger" (from Postfix, running code similar to what
happens in Exim with OpenSSL) I get:

posttls-finger: using DANE RR: _25._tcp.mail.bayern.de IN TLSA 2 0 1 32:A2:BC:1D:51:5C:DB:C4:12:B6:2B:47:A1:CC:CF:2B:B1:B8:E3:EF:30:9F:98:24:58:D3:A7:C6:17:97:42:2A
posttls-finger: mail.bayern.de[195.200.70.104]:25: depth=1 matched trust anchor certificate sha256 digest 32:A2:BC:1D:51:5C:DB:C4:12:B6:2B:47:A1:CC:CF:2B:B1:B8:E3:EF:30:9F:98:24:58:D3:A7:C6:17:97:42:2A
posttls-finger: mail.bayern.de[195.200.70.104]:25 Matched CommonName mail.bayern.de
posttls-finger: mail.bayern.de[195.200.70.104]:25: subject_CN=mail.bayern.de, issuer_CN=Bayerische DANE-CA, fingerprint=87:57:23:C0:87:D5:E7:63:1C:80:88:C6:0D:AB:A2:59:BC:82:FD:B3:9B:B3:76:1A:67:B1:94:E9:AE:D9:91:0B, pkey_fingerprint=63:AF:88:25:32:1E:8D:36:B3:7D:A6:19:1A:23:AB:61:3D:CC:29:58:AD:1D:F5:B3:32:99:F4:A8:E4:22:BF:CD
posttls-finger: Verified TLS connection established to mail.bayern.de[195.200.70.104]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Certificate chain
0 subject: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=mail.bayern.de/emailAddress=Behoerdennetzdienste@bayern.de
issuer: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=Bayerische DANE-CA/emailAddress=Behoerdennetzdienste@bayern.de
cert digest=87:57:23:C0:87:D5:E7:63:1C:80:88:C6:0D:AB:A2:59:BC:82:FD:B3:9B:B3:76:1A:67:B1:94:E9:AE:D9:91:0B
pkey digest=63:AF:88:25:32:1E:8D:36:B3:7D:A6:19:1A:23:AB:61:3D:CC:29:58:AD:1D:F5:B3:32:99:F4:A8:E4:22:BF:CD
-----BEGIN CERTIFICATE-----
MIIDhDCCAmwCCQDuvGbsd/4J2jANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
REUxDzANBgNVBAgMBkJheWVybjEZMBcGA1UECgwQRnJlaXN0YWF0IEJheWVybjEb
MBkGA1UEAwwSQmF5ZXJpc2NoZSBEQU5FLUNBMS0wKwYJKoZIhvcNAQkBFh5CZWhv
ZXJkZW5uZXR6ZGllbnN0ZUBiYXllcm4uZGUwHhcNMTgwOTA5MDQyNTA2WhcNMTgx
MDA5MDQyNTA2WjCBgTELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJheWVybjEZMBcG
A1UECgwQRnJlaXN0YWF0IEJheWVybjEXMBUGA1UEAwwObWFpbC5iYXllcm4uZGUx
LTArBgkqhkiG9w0BCQEWHkJlaG9lcmRlbm5ldHpkaWVuc3RlQGJheWVybi5kZTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALUixii48OP/SBuaDf5E2RAq
WCznGU5whTcLIjBNwjw+uTGLIo6jwHSN6tf/HQQ1jQ/eZUue+kUZAtZfXhydr5yL
vZvDOykrx/QV3DDj57m1X7pscR37pZ/2GzKkqXnD4pZbxZl9Q2gBiX3cwdS8dxDC
3XKCt8r9xHWRPzdRVyK51VzfWxGmpwNNtF+DXNxKzpAIMc+xRboP/iglsYr9eIiz
mVv2LQKBOW3r/BN3wmA1x0gxGwG8rzuSIXpbuXWlltBjwTVsM+npKOxPYxqhNl9j
UsjKYIHOcYvFpTsZILIAUV5/jSopaJWBGJOQYZhw+AHrmSIr2Chr3i218zqBVPUC
AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxM6I2MkW3+8sTHpeSXqZ1fgjxlgcXR77
mMel1JKwZ3GvEGg9rCrj0sd6WTxUBu+bJo5ehH2t1Q0/el9/r4IUMMCXJ2Ou0SRp
t0ioduFJDucBF77+jW1AHTpN/6cs0xjAUpKYeHu90shIccEQ4VzY8owlq7uSydGV
d4Pch6+SRA7Rr4GQqlaDyawkx73EwJjy7OVjOUkl54h424cmD56unhYYsIybtCYp
1rDEhtCfcae1dJoNURNUJuSmuQo8EMf/gorBxgTcC7Ug18xK7Ry7MKUp42mliDuu
l2XsbNGFZtjazCyPFfabptD/lFGmyjb7CNq7N6P0EhBXgNEdkVoyHQ==
-----END CERTIFICATE-----
1 subject: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=Bayerische DANE-CA/emailAddress=Behoerdennetzdienste@bayern.de
issuer: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=Bayerische DANE-CA/emailAddress=Behoerdennetzdienste@bayern.de
cert digest=32:A2:BC:1D:51:5C:DB:C4:12:B6:2B:47:A1:CC:CF:2B:B1:B8:E3:EF:30:9F:98:24:58:D3:A7:C6:17:97:42:2A
pkey digest=02:D4:41:22:7B:2F:B8:90:78:4A:EB:7D:88:43:64:53:96:28:8B:51:0C:5B:55:F6:CA:63:EA:B4:FB:CE:B9:F9
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAInKifW+FkGxMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMRkwFwYDVQQKDBBGcmVpc3RhYXQgQmF5
ZXJuMRswGQYDVQQDDBJCYXllcmlzY2hlIERBTkUtQ0ExLTArBgkqhkiG9w0BCQEW
HkJlaG9lcmRlbm5ldHpkaWVuc3RlQGJheWVybi5kZTAeFw0xODA3MDkwOTIwMDBa
Fw0yODA3MTYwOTIwMDBaMIGFMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJu
MRkwFwYDVQQKDBBGcmVpc3RhYXQgQmF5ZXJuMRswGQYDVQQDDBJCYXllcmlzY2hl
IERBTkUtQ0ExLTArBgkqhkiG9w0BCQEWHkJlaG9lcmRlbm5ldHpkaWVuc3RlQGJh
eWVybi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrMniddtbQS
cEmtDdBR5EpsWNkYaNCJe0mEdUk5BifGTmjvUc0IBNKXbxB8BvOWWsHI7cIBl3Hw
/KfYjjqwf/+jD9k60MWyhwmcBdo8FR1P4dbz8cyGdWmOmQ0pc4iNkxS9dGJIsP+Y
hTmtQ/KMKuZk2DFfsdJEqoxMZrWz34m2cremRB4Afs18d4OlhCsq26YXizkow3Cq
Z9llEXFpo0dhHo4+oMNU1eyfYzK5RboJAl0nEUcQZgSB9hDk/ASl93Jd5lBkzFby
cL/oNmdx6PJFEmOTwb09XqefkoJhSgl6vP5K65XXt4LrB4tv1dtaXOmHQYU//Sbp
N5sql5510jECAwEAAaNQME4wHQYDVR0OBBYEFOWP/IkeaU8GdDvH41mC/X5jCc04
MB8GA1UdIwQYMBaAFOWP/IkeaU8GdDvH41mC/X5jCc04MAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAGAa2rbVNm2m/89RC6oQiUi0Qgc4H7F77CMTUaSf
/DK0W3H4pec9YZh6ka5T8bTGyvHnyaczb1Q2k4Y1u1dRm354wU83/SN3W1/9sgpE
hGMDh2SyE/Tuq3MWVQ9OlZ69FUUVTb9IdIxoPuUai+DRWq4ujcxUZNfFgJ1IRycc
c9dTnWDTpRfq/y90snqsS4AMeJ15vASO6btGubLkrcCbdiFYHJzfp/OfVVTCEt7l
ukdpeGYdKZ/vZkBc3ETrgMv6Ikt65QC1TuMqaieq9rdxdv+meKCDGZOn/4aVCFBw
4nNBGePJYTXxfPMv7HpwRn2Y+DU1OcRrWYfRsSuoVE3HzMU=
-----END CERTIFICATE-----

> Adding the self signed certificate to the local trust store solves the
> problem.

It looks like some function Exim is calling when using GnuTLS
branches into parts of GnuTLS that require a match in the local
trust store. This chain has a DANE-TA(2) match to a direct issuer
CA (that happens to be self-signed, but that's secondary) with no
intermediate certificates in the path between the EE cert and
trust-anchor.

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/