Hello.
On Sat, Oct 16, 2021 at 06:44:28PM +0200, Heiko Schlittermann via Exim-users wrote:
> Adam D. Barratt via Exim-users <exim-users@???> (Sa 16 Okt 2021 17:43:57 CEST):
> > >
> > > This hh.schlittermann.de runs the latest Exim, and probaby sends you
> > > an SNI your server for some reason doesn't accept?
> >
> > FWIW, I've also seen two of these, at 23:53:41UTC yesterday and
> > 11:08:41UTC today. The server in question is running Debian's 4.92-
> > 8+deb10u6 exim4-daemon-heavy package and has "tls_sni" set in the log
> > selector.
> >
> > The log entries for the second failed connection are:
> >
> > 2021-10-16 11:08:40 SMTP connection from [213.128.132.49] (TCP/IP connection count = 1)
> > 2021-10-16 11:08:41 TLS error on connection from hh.schlittermann.de [213.128.132.49] (gnutls_handshake): A disallowed SNI server name has been received.
This message ("A disallowed SNI server name has been received") is generated
by GnuTLS library in lib/ext/server_name.c:112, error is thrown if SNI
does not pass this check:
inline static unsigned _gnutls_dnsname_is_valid(const char *str, unsigned size)
{
unsigned i;
for (i=0;i<size;i++) {
if (!(c_isalnum(str[i]) || str[i] == '-' || str[i] == '.'))
return 0;
}
return 1;
}
Check function is defined in lib/str.h:63.
Let me remind that I observe persistent segfaults with 4.95-rc2 and 4.95,
in GnuTLS library, whose are definitely caused by some memory corruption.
Exactly the same version of GnuTLS library (3.7.2) works perfectly with
Exim-4.94, that's why I sispect that something in 4.95 code is broken...
Maybe SNI corruption is indication of the same problem.
--
Eugene Berdnikov