All,
I'm having problems getting TLS working on a fresh install of Exim 4.63
on FreeBSD 6.1. I've done this in the past on FreeBSD 4.x without a
problem, and nothing's really that different on 6.1 as far as OpenSSL
goes, so I'm kind of at a loss to explain the problem. I've tried
searching around, including the list archives, but haven't turned up much.
My specific problem is that Exim segfaults (signal 11) every time I try
to start up a TLS session, either with STARTTLS or with a connection on
a tls_on_connect_ports port. Running Exim with -d+all+tls, the last
events I see are:
11:32:04 50324 tls_certificate file /usr/local/exim/etc/krellis.org.pem
11:32:04 50322 child 50324 ended: status=0xb
When trying to connect to the TLS on connect port with the OpenSSL
s_client for debugging purposes, I get an ssl_handshake_failure:
39862:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:226:
When running the appropriate Exim process under gdb, the stack backtrace
at the time of segfault looks like this:
#0 0x56e58955 in ?? ()
#1 0x283b4c49 in RSA_free () from /lib/libcrypto.so.4
#2 0x283cf6ad in EVP_PKEY_get1_DH () from /lib/libcrypto.so.4
#3 0x283cf73d in EVP_PKEY_free () from /lib/libcrypto.so.4
#4 0x283c78f0 in ENGINE_set_digests () from /lib/libcrypto.so.4
#5 0x283da6be in ASN1_primitive_free () from /lib/libcrypto.so.4
#6 0x283da84e in ASN1_template_free () from /lib/libcrypto.so.4
#7 0x283da768 in ASN1_primitive_free () from /lib/libcrypto.so.4
#8 0x283da84e in ASN1_template_free () from /lib/libcrypto.so.4
#9 0x283da768 in ASN1_primitive_free () from /lib/libcrypto.so.4
#10 0x283da887 in ASN1_item_free () from /lib/libcrypto.so.4
#11 0x283aff65 in X509_free () from /lib/libcrypto.so.4
#12 0x2830b16e in SSL_CTX_use_certificate_chain_file ()
from /usr/lib/libssl.so.4
#13 0x080c963e in string_log_address ()
#14 0x080c9bab in tls_server_start ()
#15 0x080c1fbc in smtp_setup_msg ()
#16 0x08080a4b in daemon_go ()
#17 0x080910c1 in main ()
The one thread I found in the archives seemed to indicate a possible
OpenSSL problem. However, I was able to connect using the openssl
s_server and the same certificate I am trying to get Exim to use, from
an openssl s_client on the host that I am testing from, without any
problems.
Has anyone else run across this? I've double-checked that the various
TLS options in Local/Makefile are right, and ldd seems to indicate that
my Exim binary is linked to the appropriate libraries:
/usr/local/exim/bin/exim:
libcrypt.so.3 => /lib/libcrypt.so.3 (0x281b6000)
libm.so.4 => /lib/libm.so.4 (0x281ce000)
libutil.so.5 => /lib/libutil.so.5 (0x281e4000)
libpam.so.3 => /usr/lib/libpam.so.3 (0x281f0000)
libperl.so => /usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
(0x281f7000)
libssl.so.4 => /usr/lib/libssl.so.4 (0x282f6000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x28324000)
libc.so.6 => /lib/libc.so.6 (0x28416000)
I've also verified that other things compiled against OpenSSL on this
system can speak SSL without a problem. In particular, dovecot
imaps/pop3s work fine, again with the same certificates that I am trying
to use with Exim.
Any assistance anyone can provide would be greatly appreciated.
Thanks,
Tim Wilde
