Re: [exim] Exim + grsecurity + ssl = dos

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Renaud Allard
Date:  
À: exim-users
Sujet: Re: [exim] Exim + grsecurity + ssl = dos


On 06/01/2016 12:32 PM, Samuel wrote:
>
> Le 01/06/2016 à 11:24, Jeremy Harris a écrit :
>> On 31/05/16 18:44, Samuel wrote:
>>> 2016-05-31 05:55:44 TLS error on connection from
>>> researchscan258.eecs.XXXX.edu (eecs.XXXX.edu) [1XX.212.XXX.3]
>>> (gnutls_handshake): Could not negotiate a supported cipher suite.
>>> 2016-05-31 05:55:44 H=researchscan258.eecs.XXXX.edu (eecs.XXXX.edu)
>>> [1XX.212.XXX.3] Warning: erreur : tls-failed
>> OK, cipher-suite mismatch...
>>
>>> /var/log/syslog :
>>>
>>> May 31 05:55:44 anemone-mailin-01 kernel: [4547900.677897] traps:
>>> exim4[23055] general protection ip:6664ddc0bad6 sp:7483826d3710 error:0
>>> in libc-2.19.so[6664ddba2000+1a2000]
>> Oops!
>>
>>> So if I understand well, A special craft ssl request can cause DOS on
>>> Exim on Grsecurity kernel ?
>> Not all that crafted; just a choice of ciphers.
>
> Is this a problem from my side ? Do I have to do someting ?
>


Given the name of the host researchscanXXX, may I assume you have used a
server to test the crypto? So if it has indeed attempted some kind of
brute force, maybe grsec was right.

Some grsec features should be used with great precautions. This is not a
magical recipe.