[exim] 4.80 RC2 TLS interop between GnuTLS and NSS

Pàgina inicial
Delete this message
Reply to this message
Autor: Janne Snabb
Data:  
A: exim-users
Assumptes vells: [exim] Exim 4.80 RC2 uploaded
Assumpte: [exim] 4.80 RC2 TLS interop between GnuTLS and NSS
On 2012-05-19 14:50, Phil Pennock wrote:
> I have uploaded Exim 4.80 RC2 to:
>     ftp://ftp.exim.org/pub/exim/exim4/test/

[..]
> Please report issues in reply to this email, on exim-users.


I think there is some TLS interoperability issue between Exim 4.80 RC2
built with GnuTLS and NSS (Netscape Security Services) on the client side.

I built RC2 on Ubuntu 12.04 x86_64 and as a result Thunderbird email
client on the same platform was not able to negotiate STARTSSL any
longer. The Thunderbird error message was not helpful at all:

Sending of message failed.
The message could not be sent using SMTP server localhost for an unknown
reason. Please verify that your SMTP server settings are correct and try
again, or contact your network administrator.

On the Exim side I see this (exim -bd -d-all+tls):

18935 Listening...
18935 Connection request from 127.0.0.1 port 47545
18935 1 SMTP accept process running
18935 Listening...
18939 Process 18939 is handling incoming connection from [127.0.0.1]
18939 Process 18939 is ready for new message
18939 initialising GnuTLS as a server
18939 GnuTLS global init required.
18939 initialising GnuTLS server session
18939 Expanding various TLS configuration options for session credentials.
18939 certificate file = /opt/exim/exim.crt
18939 key file = /opt/exim/exim.key
18939 TLS: cert/key registered
18939 TLS: tls_verify_certificates not set or empty, ignoring
18939 Initialising GnuTLS server params.
18939 GnuTLS tells us that for D-H PK, NORMAL is 2432 bits.
18939 read D-H parameters from file "/var/spool/exim/gnutls-params-2432"
18939 initialized server D-H parameters
18939 GnuTLS using default session cipher/priority "NORMAL"
18939 TLS: a client certificate will not be requested.
18939 Received TLS SNI "localhost" (unused for certificate selection)
18939 LOG: MAIN
18939 TLS error on connection from localhost [127.0.0.1
(gnutls_handshake): A TLS packet with unexpected length was received.
18939 TLS failed to start
18939 LOG: smtp_connection MAIN
18939 SMTP connection from localhost [127.0.0.1] closed by EOF
18935 child 18939 ended: status=0x0
18935 normal exit, 0
18935 0 SMTP accept processes now running
18935 Listening...

Exim 4.80 RC2 has the following relevant build options:

SUPPORT_TLS=yes
USE_GNUTLS=yes
USE_GNUTLS_PC=gnutls

And in the configuration:

tls_advertise_hosts = *
tls_certificate = /opt/exim/exim.crt
tls_privatekey = /opt/exim/exim.key
daemon_smtp_ports = 25 : 443 : 587
tls_on_connect_ports = 443

Everything works fine with Exim 4.77 with the following build options:

SUPPORT_TLS=yes
USE_GNUTLS=yes
TLS_LIBS=-lgnutls -ltasn1 -lgcrypt

...and the same run-time configuration.

To debug this further, I pointed my firefox browser (which also uses
NSS) to https://localhost/ (which is a bit odd way to debug SMTP
problems, but I could not find any simple command-line client for
talking TLS with NSS). With firefox I got the following message when
connecting to 4.80 RC2:

Secure Connection Failed
An error occurred during a connection to localhost.
Unable to generate public/private key pair.
(Error code: sec_error_keygen_fail)

The log on the server side says again: "A TLS packet with unexpected
length was received."

When connecting with chromium I get the following:

This webpage is not available
The webpage at https://localhost/ might be temporarily down or it may
have moved permanently to a new web address.
Error 2 (net::ERR_FAILED): Unknown error.

When connecting to Exim 4.77 with GnuTLS using firefox I get the usual
complaint about untrusted certificate. After confirming a security
exception I can see the following in Exim's debug output:

20776 SMTP syntax error in "GET /favicon.ico HTTP/1.1" H=localhost
[127.0.0.1] unrecognized command

This obviously indicates that the TLS connection was successfully
negotiated this time.

If I compile Exim 4.80 RC2 with OpenSSL everything works fine. Also if I
test against Exim 4.80 RC2 with GnuTLS using "openssl s_client" or swaks
I do not have any issues. This seems to be NSS specific.

The GnuTLS library version on Ubuntu 12.04 is "2.12.14-5ubuntu3" and NSS
library is "3.13.1.with.ckbi.1.88-1ubuntu6".


I am trying this out next with Scientific Linux 6.2 (should be the same
as RHEL/CentOS 6.2) which has a different GnuTLS version. But it will
take some time.


Meanwhile, is anyone else able to reproduce this on the same or another
platform? Compile Exim 4.80 RC2 with GnuTLS and try to connect to it
with anything that uses NSS, such as Thunderbird, Firefox, Chromium etc.
Can you get a successful TLS connection?

I am unsure how to debug this further (I am not familiar with any of
these TLS libraries) but will be happy to assist.

--
Janne Snabb / EPIPE Communications
snabb@??? - http://epipe.com/