https://bugs.exim.org/show_bug.cgi?id=2396
Bug ID: 2396
Summary: key lookup with received_ip_address fails
Product: Exim
Version: 4.92
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
Assignee: jgh146exb@???
Reporter: spencer.marshall@???
CC: exim-dev@???
The following are in exim.conf
tls_certificate = /etc/exim/$received_ip_address.cer
tls_privatekey = /etc/exim/$received_ip_address.key
tls_dhparam = /etc/exim/$received_ip_address.dh
tls_verify_certificates = /etc/ssl/certs
In this report, I have tried to hide the IPv6 addresses by changing the start
to be aaaa:bbbb
connecting over IPv6 with TLS fails (IPv4 works, but IPv6 fails)
To reproduce:
run exim as follows "/usr/sbin/exim -bd -d" exim starts and waits with
"Listening..."
connect using "openssl s_client --host <host> --port 25 -starttls smtp"
CONNECTED(00000003)
139754710327744:error:1408F10B:SSL routines:ssl3_get_record:wrong version
number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 259 bytes and written 209 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1557397482
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
Exim outputs
24989 SMTP<< STARTTLS
24989 setting SSL CTX options: 0x1104000
24989 Diffie-Hellman initialized from /etc/exim/aaaa:bbbb:2:3::1:8.dh with
2048-bit prime
24989 ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection
24989 tls_certificate file /etc/exim/aaaa
24989 TLS error '(SSL_CTX_use_certificate_chain_file file=/etc/exim/aaaa):
error:02001002:system library:fopen:No such file or directory'
24989 LOG: MAIN
24989 TLS error on connection from (mail.example.com)
[aaaa:bbbb:5:2::3]:44242 I=[aaaa:bbbb:2:3::1:8]:25
(SSL_CTX_use_certificate_chain_file file=/etc/exim/aaaa): error:02001002:system
library:fopen:No such file or directory
24989 SMTP>> 454 TLS currently unavailable
24989 SMTP<< ?�??�uȰE�[��m3�X�}���_����BC���??8�,�0?�̨̩�+�/?��$�(?k�#�'?g�
24989 LOG: smtp_syntax_error MAIN
24989 SMTP syntax error in
"\026\003\001?\253\001??\247\003\003\026u\310\260E\227[\233\370m3\202X\317}\336\320\211\266_\263\034\363\333\241\302BC\232\334\361\252??8\300,\3000?\237\314\251\314\250\314\252\300+\300/?\236\300$\300(?k\300#\300'?g\300"
H=(mail.example.com) [aaaa:bbbb:5:2::3]:44242 I=[aaaa:bbbb:2:3::1:8]:25 NUL
character(s) present (shown as '?')
24989 SMTP>> 501 NUL characters are not allowed in SMTP commands
24989 SMTP<< �?9� �?3?�?�?=?<?5?/?�??F?
???
24989 LOG: smtp_syntax_error MAIN
24989 SMTP syntax error in "\300\024?9\300
\300\023?3?\235?\234?=?<?5?/?\377\001??F?\v?\004\003?\001\002?"
H=(mail.example.com) [aaaa:bbbb:5:2::3]:44242 I=[aaaa:bbbb:2:3::1:8]:25 NUL
character(s) present (shown as '?')
24989 SMTP>> 501 NUL characters are not allowed in SMTP commands
24989 SMTP<< ?
24989 LOG: smtp_syntax_error MAIN
24989 SMTP syntax error in "?" H=(mail.example.com) [aaaa:bbbb:5:2::3]:44242
I=[aaaa:bbbb:2:3::1:8]:25 NUL character(s) present (shown as '?')
24989 SMTP>> 501 NUL characters are not allowed in SMTP commands
24989 SMTP>> 421 myfqdn.com lost input connection
24989 LOG: smtp_connection MAIN
24989 SMTP connection from (mail.example.com) [aaaa:bbbb:5:2::3]:44242
I=[aaaa:bbbb:2:3::1:8]:25 lost (error: Connection reset by peer) D=0.081s
24989 search_tidyup called
The dh file is found correctly, however, it appears to be trying to open aaaa
rather than aaaa:bbbb:2:3::1:8.cer
SSL_CTX_use_certificate_chain_file file=/etc/exim/aaaa
If /etc/exim/aaaa exists, it then tries to load bbbb
24964 Diffie-Hellman initialized from /etc/exim/aaaa:bbbb:2:3::1:8.dh with
2048-bit prime
24964 ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection
24964 tls_certificate file /etc/exim/aaaa
24964 tls_certificate file bbbb
24964 TLS error '(SSL_CTX_use_certificate_chain_file file=bbbb):
error:02001002:system library:fopen:No such file or directory'
--
You are receiving this mail because:
You are on the CC list for the bug.