Re: [exim] [exim-dev] Exim 4.88 RC5 uploaded

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] [exim-dev] Exim 4.88 RC5 uploaded
On 21/11/16 16:21, Torsten Tributh wrote:
>> On 21/11/16 15:57, Torsten Tributh wrote:
>>> If this variable:
>>>
>>> tls_eccurve =
>>> is not set in the config, TLS fails.
>> How are you testing and what do you observe?
> Simple test:
> tls_eccurve = auto
> /etc/init.d/exim4 restart
>
>
> echo quit|openssl s_client -connect torf.tributh.net:465


Setting up a test here on d8 + openssl 1.1, using testcase 2128 as a
basis, I get:

jgh@d8:~$ echo quit|openssl s_client -connect 127.0.0.1:1226
CONNECTED(00000003)
depth=0 C = UK, O = The Exim Maintainers, OU = Test Suite, CN = Phil Pennock
verify error:num=18:self signed certificate
verify return:1
depth=0 C = UK, O = The Exim Maintainers, OU = Test Suite, CN = Phil Pennock
verify return:1
---
Certificate chain
 0 s:/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
   i:/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIJALYf3pBgPTGPMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
BAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECxMK
VGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrMB4XDTEyMDUxNzE0NDYw
M1oXDTMxMDUxMzE0NDYwM1owWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoTFFRoZSBF
eGltIE1haW50YWluZXJzMRMwEQYDVQQLEwpUZXN0IFN1aXRlMRUwEwYDVQQDEwxQ
aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR3JQV
nvTfsOC1F8ahHRtWpS8J63F1lrjYTewvJku+JZFwpthfJgPUzjjMKVGrq8bBAYsj
Qd5riOUl0h+3KvdKa5p6sm3Z+s9UApwccAcnus6ORRMqn5ccaOyKdCD1SnqfPZCj
pd2DSg+bxhFoyAhrVBzvlxarNOff74HmppbZG199h/vxzU4D3nwEdbJaVxkk24kd
gtHcJ2olvuiO19y4KrdxZFHEmHJ3+PVPnUP5fDqcZt5Ci8Pb6hD9MFNS6jdlzZgJ
ET49YhAxlqR1sPffkeO9WPU8C7qgEpBF1xxpy2KCRH20GUEjEfSrVSHV85352AtK
hxwIrYeWcz8Y7Nx/AgMBAAGjgbwwgbkwHQYDVR0OBBYEFDZtAgvs96t7shvAZbPt
YIzxz06fMIGJBgNVHSMEgYEwf4AUNm0CC+z3q3uyG8Bls+1gjPHPTp+hXKRaMFgx
CzAJBgNVBAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEG
A1UECxMKVGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrggkAth/ekGA9
MY8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEANtHbMYqw3Ln07gif
F11TyWuUzfZ1HAdj5x+ec/ZhOrMbXJwNnQnZzdESoiqk0C1fqNsog1ur9pzYxBJo
92OpxkTxvBr2Wi2igfUPbMXWttKu5OFTU00Y8Lp6JEJjtw1zAQB1ka+/5xGYAPfC
lL/a4RQygNb2e+Q+fOwWz8YZZ2hsidtc7UbH96Eu4489PipD8GXH0T2SY4VEtwUT
g6uUJjZpznusPhc/uoq5vZVP9AU1EiU+KE55bRuP0QGKIGK3K5WfodKYvF76lhsG
gLuqb/jVqZsQKcDSj0BGnlimvgEnydeXSYYIUJichEK7dTSjsAn40hUO2dFRMYTx
W45BdA==
-----END CERTIFICATE-----
subject=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
issuer=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1670 bytes and written 302 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
F1EE9F574D909B48ECFA6DAD3A642C8B48E3E0BC218FDF78924CDCA48DED7D79
    Session-ID-ctx:
    Master-Key:
97CDBA571A63DD9CA8E1E13B7E9AA1B393315F8051DFB17568CC2C8F4F13AF197C8E77FC6627A25A8921416D6DE32910
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 200 (seconds)
    TLS session ticket:
    0000 - b1 81 9f 4f 4c 0a 05 58-72 5a 31 ea 37 1d 25 0a
...OL..XrZ1.7.%.
    0010 - 0d 1e b4 fd bf 41 bd 64-2d 99 e4 36 6c 8c d5 09
.....A.d-..6l...
    0020 - 2f 40 d3 39 55 c0 04 c4-cf 14 ba 9c c9 d2 e9 3c
/@.9U..........<
    0030 - dc 9f 83 e4 94 22 8d 54-0f 9e 39 58 a6 92 dc 6b
.....".T..9X...k
    0040 - 1f ec 29 9a 68 f6 92 7d-86 d2 9e 5a 70 53 ef 22
..).h..}...ZpS."
    0050 - f7 df c5 5d 2d 4e 0d 5c-e5 f5 f0 80 f1 cf b7 1b
...]-N.\........
    0060 - 3b 9a 73 14 fc 9e 64 4b-f1 fe 51 7b 2a 9b 22 06
;.s...dK..Q{*.".
    0070 - 09 e1 53 35 10 df 6d 87-83 a6 3c 3c 40 1b 2b 3a
..S5..m...<<@.+:
    0080 - c1 0f b1 cb 79 af 60 6b-67 95 94 c1 49 5f 88 cc
....y.`kg...I_..
    0090 - 32 46 ac 34 ab 06 de 8d-8f 40 46 c7 4e 01 26 d2
2F.4.....@F.N.&.


    Start Time: 1479850967
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
220 myhost.test.ex ESMTP Exim x.yz Tue, 22 Nov 2016 21:42:47 +0000
DONE





=============================
Here's the daemon's debug (-d+tls) output:

jgh@d8:~/git/exim/test$ eximdir/exim -d-all+tls -bd -C
/home/jgh/git/exim/test/test-config -DDIR=/home/jgh/git/exim/test -oX
1225:1226:1227
Exim version x.yz uid=1000 gid=1000 pid=856 D=8000000
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 Perl Expand_dlfunc OpenSSL
move_frozen_messages Content_Scanning DKIM DNSSEC Event I18N OCSP PRDR
PROXY SOCKS TCP_Fast_Open Experimental_LMDB Experimental_QUEUEFILE
Experimental_DANE Experimental_DCC Experimental_DSN_info
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm lmdb mysql passwd pgsql
redis sqlite testdb
Authenticators: cram_md5 dovecot plaintext spa tls
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe
queuefile smtp
Fixed never_users: 0
Configure owner: 1000:1000
Size of off_t: 8
Compiler: GCC [6.2.0 20161103]
Library version: Glibc: Compile: 2.24
                        Runtime: 2.24
Library version: OpenSSL: Compile: OpenSSL 1.1.0b  26 Sep 2016
                          Runtime: OpenSSL 1.1.0b  26 Sep 2016
                                 : built on: reproducible build, date
unspecified
Library version: IDN: Compile: 1.33
                      Runtime: 1.33
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
Library version: LMDB: Compile: 0.9.18
Library version: MySQL: Compile: 5.7.16 [(Debian)]
                        Runtime: 5.7.16
Library version: REDIS: Compile: 0 [13]
Library version: SQLite: Compile: 3.15.1
                         Runtime: 3.15.1
WHITELIST_D_MACROS:
"DIR:EXIM_PATH:AA:ACL:ACLRCPT:ACL_MAIL:ACL_PREDATA:ACL_RCPT:AFFIX:ALLOW:ARG1:ARG2:AUTHF:AUTHS:AUTH_ID_DOMAIN:BAD:BANNER:BB:BR:BRB:CERT:COM:COMMAND_USER:CONNECTCOND:CONTROL:CREQCIP:CREQMAC:CRL:CSS:D6:DATA:DCF:DDF:DEFAULTDWC:DELAY:DETAILS:DRATELIMIT:DYNAMIC_OPTION:ELI:ERROR_DETAILS:ERT:FAKE:FALLBACK:FILTER:FILTER_PREPEND_HOME:FORBID:FORBID_SMTP_CODE:FUSER:HAI:HAP:HARDLIMIT:HEADER_LINE_MAXSIZE:HEADER_MAXSIZE:HELO_MSG:HL:HOSTS:HOSTS_AVOID_TLS:HOSTS_MAX_TRY:HVH:IFACE:IGNORE_QUOTA:INC:INSERT:IP1:IP2:LAST:LDAPSERVERS:LENCHECK:LIMIT:LIST:LOG_SELECTOR:LS:MAXNM:MESSAGE_LOGS:MSIZE:NOTDAEMON:ONCE:ONLY:OPT:OPTION:ORDER:PAH:PEX:PORT:PTBC:QDG:QOLL:QUOTA:QUOTA_FILECOUNT:QWM:RCPT_MSG:REMEMBER:REQUIRE:RETRY:RETRY1:RETRY2:RETURN:RETURN_ERROR_DETAILS:REWRITE:ROUTE_DATA:RRATELIMIT:RT:S:SELECTOR:SELF:SERVER:SERVERS:SREQCIP:SREQMAC:SRV:STD:STRICT:SUB:SUBMISSION_OPTIONS:TIMEOUTDEFER:TIMES:TRUSTED:TRYCLEAR:UL:USE_SENDER:UTF8:VALUE:WMF:X:Y"
TRUSTED_CONFIG_LIST: "/home/jgh/git/exim/test/trusted_configs"
macros_trusted overridden to true by whitelisting
tls_validate_require_cipher child 857 ended: status=0x0
configuration file is /home/jgh/git/exim/test/test-config
log selectors = 00000ffc 06320202
cwd=/home/jgh/git/exim/test 8 args: eximdir/exim -d-all+tls -bd -C
/home/jgh/git/exim/test/test-config -DDIR=/home/jgh/git/exim/test -oX
1225:1226:1227
admin user
  856 daemon_smtp_port overridden by -oX:
  856   <: 1225: 1226: 1227
  856 listening on all interfaces (IPv6) port 1225
  856 listening on all interfaces (IPv4) port 1225
  856 listening on all interfaces (IPv6) port 1226
  856 listening on all interfaces (IPv4) port 1226
  856 listening on all interfaces (IPv6) port 1227
  856 listening on all interfaces (IPv4) port 1227
  856 pid written to /home/jgh/git/exim/test/spool/exim-daemon.pid
  856 LOG: MAIN
  856   exim x.yz daemon started: pid=856, no queue runs, listening for
SMTP on port 1225 (IPv6 and IPv4) and for SMTPS on port 1226 (IPv6 and
IPv4) port 1227 (IPv6 and IPv4)
  856 daemon running with uid=1001 gid=1001 euid=1001 egid=1001
  856 Listening...
  856 Connection request from 127.0.0.1 port 44204
  856 1 SMTP accept process running
  856 Listening...
  874 Process 874 is handling incoming connection from [127.0.0.1]
  874 no SSL CTX options to set
  874 Diffie-Hellman initialized from default with 2048-bit prime
  874 ECDH: curve 'prime256v1'
  874 ECDH: enabled 'prime256v1' curve
  874 tls_certificate file /home/jgh/git/exim/test/aux-fixed/cert1
  874 tls_privatekey file /home/jgh/git/exim/test/aux-fixed/cert1
  874 Initialized TLS
  874 Calling SSL_accept
  874 SSL info: before SSL initialization
  874 SSL info: before SSL initialization
  874 SSL info: before SSL initialization
  874 SSL info: SSLv3/TLS read client hello
  874 SSL info: SSLv3/TLS write server hello
  874 SSL info: SSLv3/TLS write certificate
  874 SSL info: SSLv3/TLS write key exchange
  874 SSL info: SSLv3/TLS write server done
  874 SSL info: SSLv3/TLS write server done
  874 SSL info: SSLv3/TLS read client key exchange
  874 SSL info: SSLv3/TLS read change cipher spec
  874 SSL info: SSLv3/TLS read finished
  874 SSL info: SSLv3/TLS write session ticket
  874 SSL info: SSLv3/TLS write change cipher spec
  874 SSL info: SSLv3/TLS write finished
  874 SSL info: SSL negotiation finished successfully
  874 SSL info: SSL negotiation finished successfully
  874 SSL_accept was successful
  874 Cipher: TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
  874 Shared ciphers:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
  874 tls_do_write(0x55ccdfb03ba0, 68)
  874 SSL_write(SSL, 0x55ccdfb03ba0, 68)
  874 outbytes=68 error=0
  874 Process 874 is ready for new message
  874 Calling SSL_read(0x55ccdfb36430, 0x55ccdfb44d00, 4096)
  874 tls_do_write(0x55ccdfb03ba0, 39)
  874 SSL_write(SSL, 0x55ccdfb03ba0, 39)
  874 outbytes=39 error=0
  874 tls_close(): shutting down SSL
  874 LOG: smtp_connection MAIN
  874   SMTP connection from [127.0.0.1] closed by QUIT
  856 child 874 ended: status=0x0
  856   normal exit, 0
  856 0 SMTP accept processes now running
  856 Listening...


===================================

So I guess there's some other difference apart from an EC curve being
defined (mine had the variable unset, so got the default prime256v1).

Could you enable debug on yours and see where the output goes
significantly different?
--
Cheers,
Jeremy