Re: [exim] Can't do TLS between two exim 4.80

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMViktor Dukhovni at <-
MMMarc MERLIN at ->
Delete this message
Reply to this message
Author: Marc MERLIN
Date:  
To: Andreas Metzler, Cyborg, Evgeniy Berdnikov, Viktor Dukhovni
CC: exim-users
Subject: Re: [exim] Can't do TLS between two exim 4.80
On Sat, Nov 09, 2013 at 08:54:51PM +0400, Evgeniy Berdnikov wrote:
> On Sat, Nov 09, 2013 at 05:03:49PM +0100, Cyborg wrote:
> > Am 09.11.2013 14:04, schrieb Andreas Metzler:
> > >openssl s_client -starttls smtp -crlf -connect smtp.merlins.org:587
> >
> > It's not working for you, but for me it is.
>
> With -tls1_1 connection is started normally, with -tls1_2 this server
> silently closes connection immediately after ClientHello[version:3.3].
> Hope this helps to bisect.
> --
> Eugene Berdnikov
>
On Sat, Nov 09, 2013 at 10:59:04PM +0000, Viktor Dukhovni wrote:
> On Fri, Nov 08, 2013 at 09:34:12AM -0800, Marc MERLIN wrote:
>
> > But I'm guessing the problem is on the client, so here's how it's linked:
>
> I can reproduce the problem with a Postfix client, the problem
> seems to be on the server. If I don't disable TLSv1.2 the server
> hangs up after the client HELLO.
>
> This happens even with an SSLv2 HELLO, so it is something about
> the client cipherlist, not the TLS extensions.

Thank you all for the debugging info. 

This is what my binary from debian uses:
magic:~# ldd /usr/sbin/exim4  |grep tls
        libgnutls.so.26 => /usr/lib/i386-linux-gnu/libgnutls.so.26 (0xb6afe000)


Seems there there is a newer version of 2.6 in debian:
Preparing to replace libgnutls26 2.12.20-2 (using .../libgnutls26_2.12.23-8_i386.deb) ...
Unpacking replacement libgnutls26 ...
(that's the latest in debian testing/unstable)

Mmmh, but unfortunately upgrading this and restarting exim4 didn't help, I still get
SMTP<< 220 TLS go ahead
LOG: MAIN
TLS error on connection to 209.81.13.136 [209.81.13.136] (gnutls_handshake): A TLS packet with unexpected length was received.
LOG: MAIN

I'm assuming it's not broken for everyone on debian, what other packages do you think
might be broken/out of date/missing?

I know I can recompile exim4 to use openssl, but I would much rather
stick to the stock debian packages.

Currently I have
ii exim4-daemon-heavy 4.80-6 

Thanks,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/                         | PGP 1024R/763BE901


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Can't do TLS between two exim 4.80Re: [exim] Can't do TLS between two exim 4.80->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)