On 2010-04-09 at 11:32 +0200, Martin Tscholak wrote:
> i tried to use a smtp transport with tls_require_ciphers set (openssl).
> Exim crashed with following log line and the message was freezed.
>
> 2010-04-09 12:26:01 1O0BPV-0003bv-Gk == test@??? R=simple
> T=remote_smtp defer (-1): smtp transport process returned non-zero
> status 0x000b: terminated by signal 11
There have been a number of OpenSSL releases recently, with security
updates. Did you upgrade OpenSSL but not recompile Exim? (Newer Exim
will give you the build/run-time versions of OpenSSL in { exim -bV }
output). For the most part, recent OpenSSL has been *much* better about
ABI compatibility, but this is still my first suspicion when I see
segfaults in OpenSSL usage from Exim.
> So i tried several combinations of tls_require_ciphers:
>
> works: tls_require_ciphers=DES-CBC3-SHA
> crash: tls_require_ciphers=ALL
> crash: tls_require_ciphers=ALL:!LOW
> crash: tls_require_ciphers=DES-CBC3-SHA:AES128-SHA
>
> if i specified more than one explicit cipher, exim crashed. A Backtrace
> showed it crashed in X509_get_subject_name(server_cert) in function
> tls_client_start.
This is unusual. I myself run with tls_require_ciphers set to a list,
but do not see these crashes, so it's not that simple.
% exim -bP tls_require_ciphers
tls_require_ciphers = ALL:!SSLv2:!LOW:!EXPORT:!EDH:!ADH:!aNULL:!NULL:!DES:@STRENGTH
> is the cause. But i am clueless now how to proceed. Attached a core and
> exim.conf.
(1) core files are not much use without the corresponding binary
(2) please don't send core-files to a mailing-list; it's more common to
put the core-file and binary somewhere and post the URL
(3) You don't mention your OS/distribution, making it even harder to
replicate
-Phil