Re: [exim-dev] Preliminary testing of a new Exim test suite

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Philip Hazel at <-
MMPhilip Hazel at ->
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Daniel Tiefnig
CC: exim-dev
Subject: Re: [exim-dev] Preliminary testing of a new Exim test suite
On Tue, 22 Nov 2005, Daniel Tiefnig wrote:

> The message comes from transports/smtp.c if a required cipher is not
> found, so I wonder why others don't run into this problem. (Or is this
> cipher NOT supposed to be missing?)

I take back what I just wrote in my previous message! I hadn't read far
enough. Take 2:

There *is* supposed to be an error here. The error is supposed to be "no
shared cipher". In your debug output, it occurs early on, during the
connection set up:

10180 SMTP<< STARTTLS
10180 tls_certificate file /home/tiefnig/exim/exim-testsuite-0.00/aux-fixed/cert1
10180 tls_privatekey file /home/tiefnig/exim/exim-testsuite-0.00/aux-fixed/cert1
10180 Initialized TLS
10180 required ciphers: IDEA-CBC-MD5
10180 LOG: MAIN
10180 TLS error on connection from localhost.localdomain (myhost.test.ex)
[192.168.34.107] (SSL_CTX_set_cipher_list): error:144020B9:SSL
routines:SSL_CTX_set_cipher_list:no cipher match
10180 SMTP>> 454 TLS currently unavailable

In my debug output, with a different OpenSSL, it happens later: 

28079 SMTP<< STARTTLS
28079 tls_certificate file /source/exim-testsuite/aux-fixed/cert1
28079 tls_privatekey file /source/exim-testsuite/aux-fixed/cert1
28079 Initialized TLS 
28079 required ciphers: IDEA-CBC-MD5
28079 host in tls_verify_hosts? no (option unset) 
28079 host in tls_try_verify_hosts? no (option unset)
28079 SMTP>> 220 TLS go ahead?                                   
28079 Calling SSL_accept                  
28079 SSL info: before/accept initialization
28079 SSL info: before/accept initialization
28079 SSL info: SSLv3 read client hello B
28079 SSL info: SSLv3 read client hello B                                
28079 SSL info: SSLv3 read client hello B                                
28079 LOG: MAIN                                        
28079   TLS error on connection from xoanon.csi.cam.ac.uk (myhost.test.ex)      
        [131.111.10.206] (SSL_accept): error:1408A0C1:SSL                
        routines:SSL3_GET_CLIENT_HELLO:no shared cipher
        28079 TLS failed to start


My guess is that what has happened is that the IDEA-CBC-MD5 cipher suite
is no longer available in your OpenSSL, so that it barfs when Exim is
setting up TLS, whereas in my OpenSSL, it's there, but the client
doesn't offer it. Or maybe your OpenSSL has tightened up, and checks
that what it's given is plausible.

I think this test pre-dates the availability of tls_require_ciphers as a
transport option. It should be possible to fix it by naming an existing
cipher on the server and forbidding its use on the transport. I'll try
to set that up.

Philip 

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.



This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] Preliminary testing of a new Exim test suiteRe: [exim-dev] Preliminary testing of a new Exim test suite->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)