Re: [exim] Exim + grsecurity + ssl = dos

Góra strony
Delete this message
Reply to this message
Autor: Samuel
Data:  
Dla: exim-users
Temat: Re: [exim] Exim + grsecurity + ssl = dos

Le 01/06/2016 à 16:00, Marcin Mirosław a écrit :
> W dniu 01.06.2016 o 15:05, Renaud Allard pisze:
>>
>> On 06/01/2016 12:32 PM, Samuel wrote:
>>> Le 01/06/2016 à 11:24, Jeremy Harris a écrit :
>>>> On 31/05/16 18:44, Samuel wrote:
>>>>> 2016-05-31 05:55:44 TLS error on connection from
>>>>> researchscan258.eecs.XXXX.edu (eecs.XXXX.edu) [1XX.212.XXX.3]
>>>>> (gnutls_handshake): Could not negotiate a supported cipher suite.
>>>>> 2016-05-31 05:55:44 H=researchscan258.eecs.XXXX.edu (eecs.XXXX.edu)
>>>>> [1XX.212.XXX.3] Warning: erreur : tls-failed
>>>> OK, cipher-suite mismatch...
>>>>
>>>>> /var/log/syslog :
>>>>>
>>>>> May 31 05:55:44 anemone-mailin-01 kernel: [4547900.677897] traps:
>>>>> exim4[23055] general protection ip:6664ddc0bad6 sp:7483826d3710 error:0
>>>>> in libc-2.19.so[6664ddba2000+1a2000]
>>>> Oops!
>>>>
>>>>> So if I understand well, A special craft ssl request can cause DOS on
>>>>> Exim on Grsecurity kernel ?
>>>> Not all that crafted; just a choice of ciphers.
>>> Is this a problem from my side ? Do I have to do someting ?
>>>
>> Given the name of the host researchscanXXX, may I assume you have used a
>> server to test the crypto? So if it has indeed attempted some kind of
>> brute force, maybe grsec was right.
>>
>> Some grsec features should be used with great precautions. This is not a
>> magical recipe.
>
> Hi!
> I don't know if it help. I also have conenction from researchscan but
> without any segfault.:
> # bzgrep 13810 /var/log/exim/exim_main.log-20160531*
> 2016-05-30 12:51:28 [13810] TLS error on connection from
> researchscan258.eecs.umich.edu (eecs.umich.edu) [141.212.122.3]
> I=[81.4.122.249]:25 (SSL_accept): error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> 2016-05-30 12:51:28 [13810] TLS client disconnected cleanly (rejected
> our certificate?)
>
> # exim -d --version
> Exim version 4.87 #1 built 08-Apr-2016 14:04:45
> Copyright (c) University of Cambridge, 1995 - 2016
> (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
> - 2016
> Berkeley DB: Berkeley DB 4.8.30: (2014-12-18)
> Support for: crypteq iconv() IPv6 Expand_dlfunc OpenSSL Content_Scanning
> Old_Demime DKIM DNSSEC Event OCSP PRDR Experimental_SRS
> Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
> dbmjz dbmnz dnsdb dsearch passwd pgsql
> Authenticators: cram_md5 plaintext spa
> Routers: accept dnslookup ipliteral manualroute queryprogram redirect
> Transports: appendfile/mailstore autoreply lmtp pipe smtp
> Fixed never_users: 0
> Size of off_t: 8
> Compiler: GCC [4.9.3]
> Library version: OpenSSL: Compile: OpenSSL 1.0.2g  1 Mar 2016
>                            Runtime: OpenSSL 1.0.2h  3 May 2016
>                                   : built on: reproducible build, date
> unspecified
> Library version: PCRE: Compile: 8.38
>                         Runtime: 8.38 2015-11-23
> WHITELIST_D_MACROS unset
> TRUSTED_CONFIG_LIST unset
> Exim version 4.87 uid=0 gid=0 pid=5705 D=fbb95cfd
> changed uid/gid: forcing real = effective
>    uid=0 gid=0 pid=5705
>    auxiliary group list: <none>
> changed uid/gid: calling tls_validate_require_cipher
>    uid=8 gid=12 pid=5706
>    auxiliary group list: <none>
> tls_require_ciphers expands to "HIGH:!aNULL:!MD5!DES:!3DES"
> tls_validate_require_cipher child 5706 ended: status=0x0
> openssl option, adding from 1100000: 1000000 (no_sslv2 +no_sslv3)
> openssl option, adding from 1100000: 2000000 (no_sslv3)
> configuration file is /etc/exim/exim.conf
> log selectors = 000084fe 16333321
> cwd=/root 3 args: exim -d --version
> trusted user
> admin user
> changed uid/gid: privilege not needed
>    uid=8 gid=12 pid=5705
>    auxiliary group list: 12
> DSN: dnslookup_batv propagating DSN
> DSN: batv_redirect propagating DSN
> DSN: spam_fakereject_kopia propagating DSN
> DSN: uservacation propagating DSN
> DSN: virtual_user propagating DSN
> DSN: aliasy propagating DSN
> DSN: catchall propagating DSN
> DSN: dnslookup propagating DSN
> seeking password data for user "mail": cache not available
> getpwnam() succeeded uid=8 gid=12
> originator: uid=0 gid=0 login=root name=root
> sender address = SNIP@CIACH
> Configuration file is /etc/exim/exim.conf

>
> # uname -a
> Linux jowisz 4.5.4-hardened-r2 #1 SMP Tue May 17 16:54:00 CEST 2016
> x86_64 Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz GenuineIntel GNU/Linux
>
>
> And I'm sure that grsec option in kernel I've got different than Samuel.


Thanks a lot for your advise.
But as I told to Renaud, the 465 port was closed on my test server.

And now that it is open, I've seen the researchscan coming again on the
465 port with no alert from grsecurity.

What could has happen on the 25 port with starttls ... I don't know.

Thanks.

Samuel.