[exim-dev] [Bug 2396] New: key lookup with received_ip_addre…

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMM 
admin at ->
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2396] New: key lookup with received_ip_address fails
https://bugs.exim.org/show_bug.cgi?id=2396 

            Bug ID: 2396
           Summary: key lookup with received_ip_address fails
           Product: Exim
           Version: 4.92
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
          Assignee: jgh146exb@???
          Reporter: spencer.marshall@???
                CC: exim-dev@???


The following are in exim.conf
tls_certificate = /etc/exim/$received_ip_address.cer
tls_privatekey = /etc/exim/$received_ip_address.key
tls_dhparam = /etc/exim/$received_ip_address.dh
tls_verify_certificates = /etc/ssl/certs

In this report, I have tried to hide the IPv6 addresses by changing the start
to be aaaa:bbbb

connecting over IPv6 with TLS fails (IPv4 works, but IPv6 fails)

To reproduce:
run exim as follows "/usr/sbin/exim -bd -d" exim starts and waits with
"Listening..." 

connect using "openssl s_client --host <host> --port 25 -starttls smtp"
CONNECTED(00000003)
139754710327744:error:1408F10B:SSL routines:ssl3_get_record:wrong version
number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 259 bytes and written 209 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1557397482
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---


Exim outputs
24989 SMTP<< STARTTLS
24989 setting SSL CTX options: 0x1104000
24989 Diffie-Hellman initialized from /etc/exim/aaaa:bbbb:2:3::1:8.dh with
2048-bit prime
24989 ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection
24989 tls_certificate file /etc/exim/aaaa
24989 TLS error '(SSL_CTX_use_certificate_chain_file file=/etc/exim/aaaa):
error:02001002:system library:fopen:No such file or directory'
24989 LOG: MAIN
24989   TLS error on connection from (mail.example.com)
[aaaa:bbbb:5:2::3]:44242 I=[aaaa:bbbb:2:3::1:8]:25
(SSL_CTX_use_certificate_chain_file file=/etc/exim/aaaa): error:02001002:system
library:fopen:No such file or directory
24989 SMTP>> 454 TLS currently unavailable
24989 SMTP<< ?�??�uȰE�[��m3�X�}���_����BC���??8�,�0?�̨̩�+�/?��$�(?k�#�'?g�
24989 LOG: smtp_syntax_error MAIN
24989   SMTP syntax error in
"\026\003\001?\253\001??\247\003\003\026u\310\260E\227[\233\370m3\202X\317}\336\320\211\266_\263\034\363\333\241\302BC\232\334\361\252??8\300,\3000?\237\314\251\314\250\314\252\300+\300/?\236\300$\300(?k\300#\300'?g\300"
H=(mail.example.com) [aaaa:bbbb:5:2::3]:44242 I=[aaaa:bbbb:2:3::1:8]:25 NUL
character(s) present (shown as '?')
24989 SMTP>> 501 NUL characters are not allowed in SMTP commands
24989 SMTP<< �?9�       �?3?�?�?=?<?5?/?�??F?
                                             ???
24989 LOG: smtp_syntax_error MAIN
24989   SMTP syntax error in "\300\024?9\300   
\300\023?3?\235?\234?=?<?5?/?\377\001??F?\v?\004\003?\001\002?"
H=(mail.example.com) [aaaa:bbbb:5:2::3]:44242 I=[aaaa:bbbb:2:3::1:8]:25 NUL
character(s) present (shown as '?')
24989 SMTP>> 501 NUL characters are not allowed in SMTP commands
24989 SMTP<< ?
24989 LOG: smtp_syntax_error MAIN
24989   SMTP syntax error in "?" H=(mail.example.com) [aaaa:bbbb:5:2::3]:44242
I=[aaaa:bbbb:2:3::1:8]:25 NUL character(s) present (shown as '?')
24989 SMTP>> 501 NUL characters are not allowed in SMTP commands
24989 SMTP>> 421 myfqdn.com lost input connection
24989 LOG: smtp_connection MAIN
24989   SMTP connection from (mail.example.com) [aaaa:bbbb:5:2::3]:44242
I=[aaaa:bbbb:2:3::1:8]:25 lost (error: Connection reset by peer) D=0.081s
24989 search_tidyup called


The dh file is found correctly, however, it appears to be trying to open aaaa
rather than aaaa:bbbb:2:3::1:8.cer
SSL_CTX_use_certificate_chain_file file=/etc/exim/aaaa

If /etc/exim/aaaa exists, it then tries to load bbbb
24964 Diffie-Hellman initialized from /etc/exim/aaaa:bbbb:2:3::1:8.dh with
2048-bit prime
24964 ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection
24964 tls_certificate file /etc/exim/aaaa
24964 tls_certificate file bbbb
24964 TLS error '(SSL_CTX_use_certificate_chain_file file=bbbb):
error:02001002:system library:fopen:No such file or directory'

--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 219] Log option to suppress message-id logging[exim-dev] [Bug 2396] key lookup with received_ip_address fails->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)