Re: [exim] Can't do TLS between two exim 4.80

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMViktor Dukhovni at <-
MMCyborg at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: Re: [exim] Can't do TLS between two exim 4.80
On 2013-11-10 at 04:06 +0000, Viktor Dukhovni wrote:
> Thus I would say that the server's TLS library is rather badly
> broken, or there is some sort of network device in front of the
> server (firewall, ...) that blocks TLSv1.2 

$ starttls () {
    gnutls-cli --x509cafile "$SSL_CERT_FILE" --starttls --crlf "$@"
  }
$ starttls --debug 15 --port 587 smtp.merlins.org
[...]
|<2>| EXT[0x80173b000]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x80173b000]: CLIENT HELLO was sent [141 bytes]
|<6>| BUF[HSK]: Inserted 141 bytes of Data
|<7>| HWRITE: enqueued 141. Total 141 bytes.
|<7>| HWRITE FLUSH: 141 bytes in buffer.
|<4>| REC[0x80173b000]: Sending Packet[0] Handshake(22) with length: 141
|<7>| WRITE: enqueued 146 bytes for 0x4. Total 146 bytes.
|<4>| REC[0x80173b000]: Sent Packet[1] Handshake(22) with length: 146
|<7>| HWRITE: wrote 141 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 146 bytes in buffer.
|<7>| WRITE: wrote 146 bytes, 0 bytes left.
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 0 bytes from 0x4
|<2>| ASSERT: gnutls_buffers.c:640
|<2>| ASSERT: gnutls_record.c:969
|<2>| ASSERT: gnutls_handshake.c:2762
|<6>| BUF[HSK]: Cleared Data from buffer
*** Fatal error: A TLS packet with unexpected length was received.
|<4>| REC: Sending Alert[2|22] - Record overflow
|<4>| REC[0x80173b000]: Sending Packet[1] Alert(21) with length: 2
|<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0x80173b000]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed


I haven't looked into whether that "0 bytes" is an internal
length-wrapped length, or an indication of a zero-length write() from
the server, not being gracefully handled. Whichever, the server is
sending something "off", causing clients to complain.

Marc, if you run `exim -d+tls -oX 588 -bd` and connect to that instance,
you can see what _Exim_ sees from its TLS provider.

I might continue by seeing if you've configured tls_dhparam to point to
an empty file or the like.

-Phil

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Can't do TLS between two exim 4.80Re: [exim] Can't do TLS between two exim 4.80->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)