[exim] massive increase in SSL handshake failures after root…

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: Exim Mailing List
Subject: [exim] massive increase in SSL handshake failures after root-CA update
Hi!

I see a massive increase in SSL handshake failures after updating the
ca-certificates RPM last Friday. I can't tell what exactly happens, but some
facts:

*) exim-4.82
*) openssl 1.0.1e
*) ca-certificates-2013.1.95-65.1.el6_5.noarch
*) revision till Friday: ca-certificates-2010.63-3.el6_1.5.noarch.rpm
*) tls_try_verify_hosts = *
tls_verify_certificates = /etc/pki/tls/cert.pem

I fixed one issue with Pegasus 4.63 on the weekend by not requesting a client
certificate. After looking at the handshake with wireshark it seems that the
list of root-CAs is sent with the handshake if a client certificate request is
done. Pegasus complained about the size of the handshake packet and sent a
"handshake failed" response.

The main difference in the ca-bundle.cert files is the raw size.
old:
-rw-r--r-- 1 root root 571442 Apr 7 2010 /tmp/certs/ca-bundle.crt
new:
-rw-r--r-- 1 root root 757191 Dec 17 18:44 /etc/pki/tls/certs/ca-bundle.crt

There are two sha384WithRSAEncryption signatures for the first time.

Another group which failed since the update are all Canon Printers. Disabling
client cert requests fixed it for them, too.

Any idea what wents wrong here? Is it simply the packet size in the handshake?

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> | http://www.blafasel.at/
Vienna University Computer Center | Austria