Re: [exim] TLS error on connection

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Viktor Dukhovni
Date:  
À: exim-users
Sujet: Re: [exim] TLS error on connection
On Thu, Aug 27, 2015 at 08:06:16PM +0300, Evgeniy Berdnikov wrote:

> On Thu, Aug 27, 2015 at 02:44:40PM +0000, Viktor Dukhovni wrote:
> > I just tried:
> >
> >     $ posttls-finger ringways.co.uk
> >     posttls-finger: Connected to mail.ringways.co.uk[88.211.105.31]:25
> ...
> >     posttls-finger: < 220 TLS go ahead
> >     posttls-finger: SSL_connect error to mail.ringways.co.uk[88.211.105.31]:25: Connection timed out

> >
> > Are you using /dev/random, rather than /dev/urandom for entropy?
>
> I tried "openssl s_client -connect mail.ringways.co.uk:25 -starttls smtp"
> with -tls1_1 and -tls1_2 options. The first option leads to very quick
> connect, tls handhaske and server prompt, the second leads to hangup
> after ClientHello.
>
> I don't know whether the difference between TLS protocol versions is
> related to usage of kernel random/urandom interfaces by crypto libs.


Thanks, this helps a lot. Indeed it breaks with TLS 1.2 and not
earlier versions, and that is because of the much larger TLS client
HELLO in TLS 1.2 due to many new ciphers.

Setting a short cipherlist with TLS 1.2 works:

    $ posttls-finger -o "tls_medium_cipherlist=AES128-SHA"-p TLSv1.2 -Ldebug ringways.co.uk
    posttls-finger: Destination address lookup failed: Host or domain name not found. Name service error for name=TLSv1.2 type=AAAA: Host not found
    bash-4.3$ posttls-finger -o "tls_medium_cipherlist=AES128-SHA" -p TLSv1.2 -Ldebug ringways.co.uk
    posttls-finger: initializing the client-side TLS engine
    posttls-finger: Connected to mail.ringways.co.uk[88.211.105.31]:25
    posttls-finger: < 220 mail.ringways.co.uk ESMTP Exim 4.84 Thu, 27 Aug 2015 18:17:09 +0100
    posttls-finger: > EHLO mournblade.imrryr.org
    posttls-finger: < 250-mail.ringways.co.uk Hello mournblade.imrryr.org [38.117.134.19]
    posttls-finger: < 250-SIZE 104857600
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250 HELP
    posttls-finger: > STARTTLS
    posttls-finger: < 220 TLS go ahead
    posttls-finger: setting up TLS connection to mail.ringways.co.uk[88.211.105.31]:25
    posttls-finger: mail.ringways.co.uk[88.211.105.31]:25: TLS cipher list "AES128-SHA:!aNULL"
    posttls-finger: SSL_connect:before/connect initialization
    posttls-finger: SSL_connect:SSLv2/v3 write client hello A
    posttls-finger: SSL_connect:SSLv3 read server hello A
    posttls-finger: mail.ringways.co.uk[88.211.105.31]:25: depth=0 verify=0 subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/emailAddress=root@???
    posttls-finger: mail.ringways.co.uk[88.211.105.31]:25: depth=0 verify=1 subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/emailAddress=root@???
    posttls-finger: SSL_connect:SSLv3 read server certificate A
    posttls-finger: SSL_connect:SSLv3 read server done A
    posttls-finger: SSL_connect:SSLv3 write client key exchange A
    posttls-finger: SSL_connect:SSLv3 write change cipher spec A
    posttls-finger: SSL_connect:SSLv3 write finished A
    posttls-finger: SSL_connect:SSLv3 flush data
    posttls-finger: SSL_connect:SSLv3 read server session ticket A
    posttls-finger: SSL_connect:SSLv3 read finished A
    posttls-finger: certificate verification failed for mail.ringways.co.uk[88.211.105.31]:25: self-signed certificate
    posttls-finger: mail.ringways.co.uk[88.211.105.31]:25: subject_CN=ollie2.ringways.co.uk, issuer_CN=ollie2.ringways.co.uk, fingerprint=43:3D:A9:99:9C:61:01:4F:18:69:CD:C1:18:AD:EA:8C:E7:75:C8:34, pkey_fingerprint=42:E2:03:37:5C:56:B7:07:56:BB:17:BA:A7:A4:91:93:0A:1D:E6:3E
    posttls-finger: Untrusted TLS connection established to mail.ringways.co.uk[88.211.105.31]:25: TLSv1.2 with cipher AES128-SHA (128/128 bits)
    posttls-finger: > EHLO mournblade.imrryr.org
    posttls-finger: < 250-mail.ringways.co.uk Hello mournblade.imrryr.org [38.117.134.19]
    posttls-finger: < 250-SIZE 104857600
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-AUTH PLAIN LOGIN
    posttls-finger: < 250 HELP
    posttls-finger: > QUIT
    posttls-finger: < 221 mail.ringways.co.uk closing connection


So the OP appears to have a system that does not tolerate large
client HELLO messages. There may be some "middle-box" (firewall
or similar) that is doing protocol inspection and choking on large
client HELLOs.

Entropy is then not the issue this time.

-- 
    Viktor.