Re: [exim] Exim + grsecurity + ssl = dos

Top Page
This message is part of the following thread:
M-+\the complete thread tree sorted by date
M\MMRenaud Allard at <-
MM.MSamuel at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Exim + grsecurity + ssl = dos
On 31/05/16 18:44, Samuel wrote:
> 2016-05-31 05:55:44 TLS error on connection from
> researchscan258.eecs.XXXX.edu (eecs.XXXX.edu) [1XX.212.XXX.3]
> (gnutls_handshake): Could not negotiate a supported cipher suite.
> 2016-05-31 05:55:44 H=researchscan258.eecs.XXXX.edu (eecs.XXXX.edu)
> [1XX.212.XXX.3] Warning: erreur : tls-failed

OK, cipher-suite mismatch...

> /var/log/syslog :
>
> May 31 05:55:44 anemone-mailin-01 kernel: [4547900.677897] traps:
> exim4[23055] general protection ip:6664ddc0bad6 sp:7483826d3710 error:0
> in libc-2.19.so[6664ddba2000+1a2000]

Oops!

> So if I understand well, A special craft ssl request can cause DOS on
> Exim on Grsecurity kernel ?

Not all that crafted; just a choice of ciphers.


> What can I do to stop this ?

Gather more information so that we can fix the bug where the crash is.
A full stack trace of the crash point, with debuginfo. Generally this
means enabling suid-process coredumps though, and this is a security
issue (the coredump potentially contains sensitive info, so you
don't want just anyone to be able to read the file).

Also: any idea if this was STARTTLS or SSL-on-connect?

> exim -d --version
> Exim version 4.84_2 #1 built 13-Mar-2016 17:47:17

Many thanks for gathering that level of info - I wish more people did!
--
Cheers,
Jeremy


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Exim + grsecurity + ssl = dosRe: [exim] Exim + grsecurity + ssl = dos->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)