Re: [exim] Exim + grsecurity + ssl = dos

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Samuel
Date:  
À: exim-users
Sujet: Re: [exim] Exim + grsecurity + ssl = dos


Le 01/06/2016 à 11:24, Jeremy Harris a écrit :
> On 31/05/16 18:44, Samuel wrote:
>> 2016-05-31 05:55:44 TLS error on connection from
>> researchscan258.eecs.XXXX.edu (eecs.XXXX.edu) [1XX.212.XXX.3]
>> (gnutls_handshake): Could not negotiate a supported cipher suite.
>> 2016-05-31 05:55:44 H=researchscan258.eecs.XXXX.edu (eecs.XXXX.edu)
>> [1XX.212.XXX.3] Warning: erreur : tls-failed
> OK, cipher-suite mismatch...
>
>> /var/log/syslog :
>>
>> May 31 05:55:44 anemone-mailin-01 kernel: [4547900.677897] traps:
>> exim4[23055] general protection ip:6664ddc0bad6 sp:7483826d3710 error:0
>> in libc-2.19.so[6664ddba2000+1a2000]
> Oops!
>
>> So if I understand well, A special craft ssl request can cause DOS on
>> Exim on Grsecurity kernel ?
> Not all that crafted; just a choice of ciphers.
>
>
>> What can I do to stop this ?
> Gather more information so that we can fix the bug where the crash is.
> A full stack trace of the crash point, with debuginfo. Generally this
> means enabling suid-process coredumps though, and this is a security
> issue (the coredump potentially contains sensitive info, so you
> don't want just anyone to be able to read the file).
>
> Also: any idea if this was STARTTLS or SSL-on-connect?


Finally, as I answered in the list, the port 465 was closed, so sure it
was on the port 25 with starttls.

>> exim -d --version
>> Exim version 4.84_2 #1 built 13-Mar-2016 17:47:17
> Many thanks for gathering that level of info - I wish more people did!
> --
> Cheers,
>    Jeremy


Thanks.
Samuel.