Re: [Exim] TLS - GNUTLS vs OpenSSL

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Torsten Hilbrich
Datum:  
To: Karl Schmidt
CC: exim-users
Betreff: Re: [Exim] TLS - GNUTLS vs OpenSSL
Karl Schmidt wrote:

> First, thanks to Andreas Metzler for getting me up to speed on building
> Debian packages.
>
> Looks like this is a different problem.
>
> I've had TLS working on two redhat systems that uses the openSSL libs.
> In the migration to Debian, I move one end to Debian (uses GNUTLS). I
> can send from the Redhat end to the Debian end but not the other way.
>
> I get the following when sending from the GNUTLS end to the openSSL box.
> In the GNUTLS exim log:
>
> 2004-05-25 14:50:43 1BSMGz-0001nc-5Y TLS error on connection to
> kiwi.xtronics.com [63.245.152.134] (gnutls_handshake): No supported
> cipher suites have been found.
>
> 2004-05-25 14:50:43 1BSMGz-0001nc-5Y == test@???
> R=dnslookup T=remote_smtp defer (-37): failure while setting up TLS session
>
> Searches of mailing lists don't show this one. Can GNUTLS talk to
> openSSL? Do I need to build different keys? I can figure this out, but
> it would help if I knew where to start looking.


I had the same problems and traced it down to errors with the Client SSL
authentication. I was able to reproduce the problem with the gnutls
client and both stunnel and exim linked against openssl. Here is some
debug output I got from these tests (some computer names changed to
protect the customer). In this example ms02 is running an exim compiled
against openssl on a redhat system:

# gnutls-cli --x509certfile /etc/exim4/projekt.yyy.xx.pem \
--x509keyfile /etc/exim4/projekt.yyy.xx.key -p 25 -s ms02.yyy.xx
Resolving 'ms02.yyy.xx'...
Connecting to '10.82.250.91:25'...


- Simple Client Mode:


220 ms02.yyy.xx ESMTP Exim 4.24 Tue, 23 Mar 2004 09:17:05 +0100
ehlo test
250-ms02.yyy.xx Hello projekt.yyy.xx [10.82.250.244]
250-SIZE 20971520
250-PIPELINING
250-STARTTLS
250 HELP
starttls
220 TLS go ahead
*** Starting TLS handshake
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed

With a higher debug level the error occured on this place:

|<3>| HSK[806fd58]: CERTIFICATE REQUEST was received [9 bytes]
|<2>| ASSERT: auth_cert.c:301
|<2>| ASSERT: auth_cert.c:1046
|<2>| ASSERT: gnutls_handshake.c:2004
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed

However, being unable to solve the problem, I recompiled the debian
package against openssl.

I remember seing discussions about this topic on this list in october
2003. But a quick search didn't turned up the message, maybe Andreas
can remember these mails, he was part of the discussions.

IIRC, in this thread the client side was Debian with gnutls, the server
side was exim with openssl. In this case the TLS connection did not
work. After replacing exim with an openssl-enabled sendmail it worked
without problems.

    Torsten


BTW: Andreas removed from CC, I know he is reading the list.