[exim] Can't do TLS between two exim 4.80

Top Page
Delete this message
Reply to this message
Author: Marc MERLIN
Date:  
To: exim-users
Subject: [exim] Can't do TLS between two exim 4.80
I have exim 4.80 from debian on both machines.

The client can do TLS with gmail but not with my other server:
SMTP<< 220 2.0.0 Ready to start TLS
initializing GnuTLS as a client
read D-H parameters from file
initialized D-H parameters
no TLS client certificate is specified
initialized certificate stuff
initialized GnuTLS session
cipher: TLS1.2:RSA_ARCFOUR_SHA1:16
SMTP>> EHLO gandalfthegreat.merlins.org

tls_do_write(7fff2ee8f910, 34)
gnutls_record_send(SSL, 7fff2ee8f910, 34)
outbytes=34
waiting for data on socket
Calling gnutls_record_recv(7f494f4b81b0, 7fff2ee8d910, 4096)
read response data: size=193
SMTP<< 250-mx.google.com at your service, [72.29.212.3]

Against my own server I get:
09:15:27 31428 SMTP<< 220 TLS go ahead
09:15:27 31428 initialising GnuTLS as a client on fd 7
09:15:27 31428 GnuTLS global init required.
09:15:27 31428 initialising GnuTLS client session
09:15:27 31428 Expanding various TLS configuration options for session credentials.
09:15:27 31428 TLS: no client certificate specified; okay
09:15:27 31428 TLS: tls_verify_certificates not set or empty, ignoring
09:15:27 31428 GnuTLS using default session cipher/priority "NORMAL"
09:15:27 31428 Setting D-H prime minimum acceptable bits to 1024
09:15:27 31428 TLS: server certificate verification not required
09:15:27 31428 LOG: MAIN
09:15:27 31428 TLS error on connection to 209.81.13.136 [209.81.13.136] (gnutls_handshake): A TLS packet with unexpected length was received.
09:15:27 31428 ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL

If you'd like to poke at it, that's 209.81.13.136 port 587

But I'm guessing the problem is on the client, so here's how it's linked:

gandalfthegreat:~# ldd /usr/sbin/exim4
    linux-vdso.so.1 (0x00007fff12ffe000)
    libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007ff9e87b1000)
    libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007ff9e8599000)
    libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007ff9e8361000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007ff9e8063000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff9e7e5f000)
    libdb-5.1.so => /usr/lib/x86_64-linux-gnu/libdb-5.1.so (0x00007ff9e7adb000)
    libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26 (0x00007ff9e781c000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007ff9e75de000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff9e7231000)
    /lib64/ld-linux-x86-64.so.2 (0x00007ff9e8ce1000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff9e7015000)
    libgcrypt.so.11 => /lib/x86_64-linux-gnu/libgcrypt.so.11 (0x00007ff9e6d96000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007ff9e6b7d000)
    libtasn1.so.3 => /usr/lib/x86_64-linux-gnu/libtasn1.so.3 (0x00007ff9e696c000)
    libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007ff9e674c000)
    libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007ff9e6546000)


The server seems to accept TLS:

Any idea what I should look at next?

TLS seems to work on the server:
gandalfthegreat:~$ openssl s_client -starttls smtp -crlf -connect smtp.merlins.org:587
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Silicon Valley, O = Linux Geeks Incorporated, OU = merlins.org, CN = Marc MERLIN, emailAddress = marc_cert@???
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Silicon Valley, O = Linux Geeks Incorporated, OU = merlins.org, CN = Marc MERLIN, emailAddress = marc_cert@???
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Silicon Valley/O=Linux Geeks Incorporated/OU=merlins.org/CN=Marc MERLIN/emailAddress=marc_cert@???
   i:/C=US/ST=California/L=Silicon Valley/O=Linux Geeks Incorporated/OU=merlins.org/CN=Marc MERLIN/emailAddress=marc_cert@???
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID6zCCA1SgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBsDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExFzAVBgNVBAcTDlNpbGljb24gVmFsbGV5MSEw
HwYDVQQKExhMaW51eCBHZWVrcyBJbmNvcnBvcmF0ZWQxFDASBgNVBAsTC21lcmxp
bnMub3JnMRQwEgYDVQQDEwtNYXJjIE1FUkxJTjEkMCIGCSqGSIb3DQEJARYVbWFy
Y19jZXJ0QG1lcmxpbnMub3JnMB4XDTAyMDgxODIyMzYxMFoXDTMwMDEwMzIyMzYx
MFowgbAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRcwFQYDVQQH
Ew5TaWxpY29uIFZhbGxleTEhMB8GA1UEChMYTGludXggR2Vla3MgSW5jb3Jwb3Jh
dGVkMRQwEgYDVQQLEwttZXJsaW5zLm9yZzEUMBIGA1UEAxMLTWFyYyBNRVJMSU4x
JDAiBgkqhkiG9w0BCQEWFW1hcmNfY2VydEBtZXJsaW5zLm9yZzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAy90Re3gyol7wkw+ix/BNEeVUmtBaVHdU/m7CjPbG
0vpcSsIUrCcorMH65cyITbugHD/7LpLnH/svH5xzsu4QHra7JWVIZ3NwAcCDqyud
0Tt8/p00s2C/ZOe2WQ7UUamG4MJGP9t0DfVz2hP7eB4Yx1q7G0qof2L+s8+lP3lf
+TcCAwEAAaOCAREwggENMB0GA1UdDgQWBBR81aeHns9INDeUObbn83VJyyOrIzCB
3QYDVR0jBIHVMIHSgBR81aeHns9INDeUObbn83VJyyOrI6GBtqSBszCBsDELMAkG
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFzAVBgNVBAcTDlNpbGljb24g
VmFsbGV5MSEwHwYDVQQKExhMaW51eCBHZWVrcyBJbmNvcnBvcmF0ZWQxFDASBgNV
BAsTC21lcmxpbnMub3JnMRQwEgYDVQQDEwtNYXJjIE1FUkxJTjEkMCIGCSqGSIb3
DQEJARYVbWFyY19jZXJ0QG1lcmxpbnMub3JnggEAMAwGA1UdEwQFMAMBAf8wDQYJ
KoZIhvcNAQEEBQADgYEALpbhn+1WFh8PLkAW7HaeYZ8+TUO5T/Y7J9SnOPMhAf+U
ub75oalLfkZe1hYPqFccrt3wCHDv3VJXD6A4vFpUmpTOYl5BfVesyfK+jCYvgX+W
JfBd+KygF4GHuxQHp52bJZ5gvsYnHM0ikys/icAKBs8eoexjN1aLo5s2yBt7qn8=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Silicon Valley/O=Linux Geeks Incorporated/OU=merlins.org/CN=Marc MERLIN/emailAddress=marc_cert@???
issuer=/C=US/ST=California/L=Silicon Valley/O=Linux Geeks Incorporated/OU=merlins.org/CN=Marc MERLIN/emailAddress=marc_cert@???
---
No client certificate CA names sent
---
SSL handshake has read 2370 bytes and written 528 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1EB9F0EAEE5FD091475C9449BC4BE9CA274223B81E76313003A659E9BBDD0CA2
    Session-ID-ctx: 
    Master-Key: 1BE54CABA2BCA8998938597163D85875E117317DC6C60AF50F0C5BF0255E3E6F90C69BBBA7618B257DA988A59FEFDC52
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1383931998
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
250 HELP


Thanks,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/                         | PGP 1024R/763BE901