Re: [exim] TLS with gmail started failing

On 07/06/2019 17:16, Marc MERLIN via Exim-users wrote:
> Is my cipher list unsuitable? cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256

That's not a cipher list, it is the cipher that you negociated.


> 14:32:03 5341 gnutls_handshake was successful
> 14:32:03 5341 TLS certificate verification failed (certificate invalid): peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=mx.google.com"
> 14:32:03 5341 TLS verify failure overridden (host in tls_try_verify_hosts)
> 14:32:03 5341 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
> 14:32:03 5341 Have channel bindings cached for possible auth usage.
> 14:32:03 5341 SMTP>> EHLO mail1.merlins.org
> 14:32:03 5341 tls_do_write(0xbfd5f57c, 24)
> 14:32:03 5341 gnutls_record_send(SSL, 0xbfd5f57c, 24)
> 14:32:03 5341 outbytes=24
> 14:32:03 5341 Calling gnutls_record_recv(0xb830fa40, 0xbfd5e57c, 4096)
> 14:32:03 5341 LOG: MAIN
> 14:32:03 5341 H=alt4.gmail-smtp-in.l.google.com [74.125.141.26] TLS error on connection (recv): Resource temporarily unavailable, try again.

With TLS1.3 certain TLS startup error types only become visible on the
first read after the handshake call. I think you've hit one. The
handling of these has been made a bit better post- 4.92
(see eg. c15523829b). Is there any chance of you compiling a
bleeding-edge version?

Alternatively, disable TLS1.3 - the tls_require_ciphers options
for the smtp transport is expanded, so you could make this
google-specific.

--
Cheers,
Jeremy