W dniu 01.06.2016 o 15:05, Renaud Allard pisze:
>
>
> On 06/01/2016 12:32 PM, Samuel wrote:
>>
>> Le 01/06/2016 à 11:24, Jeremy Harris a écrit :
>>> On 31/05/16 18:44, Samuel wrote:
>>>> 2016-05-31 05:55:44 TLS error on connection from
>>>> researchscan258.eecs.XXXX.edu (eecs.XXXX.edu) [1XX.212.XXX.3]
>>>> (gnutls_handshake): Could not negotiate a supported cipher suite.
>>>> 2016-05-31 05:55:44 H=researchscan258.eecs.XXXX.edu (eecs.XXXX.edu)
>>>> [1XX.212.XXX.3] Warning: erreur : tls-failed
>>> OK, cipher-suite mismatch...
>>>
>>>> /var/log/syslog :
>>>>
>>>> May 31 05:55:44 anemone-mailin-01 kernel: [4547900.677897] traps:
>>>> exim4[23055] general protection ip:6664ddc0bad6 sp:7483826d3710 error:0
>>>> in libc-2.19.so[6664ddba2000+1a2000]
>>> Oops!
>>>
>>>> So if I understand well, A special craft ssl request can cause DOS on
>>>> Exim on Grsecurity kernel ?
>>> Not all that crafted; just a choice of ciphers.
>>
>> Is this a problem from my side ? Do I have to do someting ?
>>
>
> Given the name of the host researchscanXXX, may I assume you have used a
> server to test the crypto? So if it has indeed attempted some kind of
> brute force, maybe grsec was right.
>
> Some grsec features should be used with great precautions. This is not a
> magical recipe.
Hi!
I don't know if it help. I also have conenction from researchscan but
without any segfault.:
# bzgrep 13810 /var/log/exim/exim_main.log-20160531*
2016-05-30 12:51:28 [13810] TLS error on connection from
researchscan258.eecs.umich.edu (eecs.umich.edu) [141.212.122.3]
I=[81.4.122.249]:25 (SSL_accept): error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2016-05-30 12:51:28 [13810] TLS client disconnected cleanly (rejected
our certificate?)
# exim -d --version
Exim version 4.87 #1 built 08-Apr-2016 14:04:45
Copyright (c) University of Cambridge, 1995 - 2016
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2016
Berkeley DB: Berkeley DB 4.8.30: (2014-12-18)
Support for: crypteq iconv() IPv6 Expand_dlfunc OpenSSL Content_Scanning
Old_Demime DKIM DNSSEC Event OCSP PRDR Experimental_SRS
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch passwd pgsql
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Compiler: GCC [4.9.3]
Library version: OpenSSL: Compile: OpenSSL 1.0.2g 1 Mar 2016
Runtime: OpenSSL 1.0.2h 3 May 2016
: built on: reproducible build, date
unspecified
Library version: PCRE: Compile: 8.38
Runtime: 8.38 2015-11-23
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
Exim version 4.87 uid=0 gid=0 pid=5705 D=fbb95cfd
changed uid/gid: forcing real = effective
uid=0 gid=0 pid=5705
auxiliary group list: <none>
changed uid/gid: calling tls_validate_require_cipher
uid=8 gid=12 pid=5706
auxiliary group list: <none>
tls_require_ciphers expands to "HIGH:!aNULL:!MD5!DES:!3DES"
tls_validate_require_cipher child 5706 ended: status=0x0
openssl option, adding from 1100000: 1000000 (no_sslv2 +no_sslv3)
openssl option, adding from 1100000: 2000000 (no_sslv3)
configuration file is /etc/exim/exim.conf
log selectors = 000084fe 16333321
cwd=/root 3 args: exim -d --version
trusted user
admin user
changed uid/gid: privilege not needed
uid=8 gid=12 pid=5705
auxiliary group list: 12
DSN: dnslookup_batv propagating DSN
DSN: batv_redirect propagating DSN
DSN: spam_fakereject_kopia propagating DSN
DSN: uservacation propagating DSN
DSN: virtual_user propagating DSN
DSN: aliasy propagating DSN
DSN: catchall propagating DSN
DSN: dnslookup propagating DSN
seeking password data for user "mail": cache not available
getpwnam() succeeded uid=8 gid=12
originator: uid=0 gid=0 login=root name=root
sender address = SNIP@CIACH
Configuration file is /etc/exim/exim.conf
# uname -a
Linux jowisz 4.5.4-hardened-r2 #1 SMP Tue May 17 16:54:00 CEST 2016
x86_64 Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz GenuineIntel GNU/Linux
And I'm sure that grsec option in kernel I've got different than Samuel.
