Re: [exim] GnuTTS woes

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Jasen Betts
Datum:  
To: exim-users
Betreff: Re: [exim] GnuTTS woes
On 2022-09-28, Jeremy Harris via Exim-users <exim-users@???> wrote:
> On 28/09/2022 21:10, Viktor Dukhovni via Exim-users wrote:
>> You need to analyse some failed handshake full-packet captures with
>> "tshark", and collected detailed logs from the clients that are having
>> problems.
>
> For Exim, that's "-d-all+tls" as a minimum.


Thanks.

This client called itself "Paradox" in the SMTP ehlo, I think it's
probably an alarm system. I have an example TLS hello packet now:

16030000430100003f0302ffffffff923e9988d02b8fc276bdcf02ccb6fc3900
d052828c650ccd8c0200400000180033003900450088001600350084002f0041
000a000500040100

And I'm able to provoke the error message by replaying it.

( sleep 1 ; xxd -c 32 -r << XDATA
000 16030000430100003f0302ffffffff923e9988d02b8fc276bdcf02ccb6fc3900
020 d052828c650ccd8c0200400000180033003900450088001600350084002f0041
040 000a000500040100
XDATA
sleep 4 ; echo quit ; echo quit ; sleep 5 ) | nc localhost 465


root@eximtest:~# exim -bd -d-all+tls
Exim version 4.96 uid=0 gid=0 pid=433834 D=10000000
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS TLS_resume move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPECONNECT PRDR PROXY Queue_Ramp SOCKS SPF SRS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot external plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [10.2.1 20210110]
Library version: Glibc: Compile: 2.31
                        Runtime: 2.31
Library version: BDB: Compile: Berkeley DB 5.3.28: (September  9, 2013)
                      Runtime: Berkeley DB 5.3.28: (September  9, 2013)
Library version: GnuTLS: Compile: 3.7.1
                         Runtime: 3.7.1
Library version: IDN2: Compile: 2.3.0
                       Runtime: 2.3.0
Library version: Stringprep: Compile: 1.33
                             Runtime: 1.33
Library version: spf2: Compile: 1.2.10
                       Runtime: 1.2.10
Library version: Cyrus SASL: Compile: 2.1.27
                             Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE2: Compile: 10.36
                        Runtime: 10.36 2020-12-04
Library version: MySQL: Compile: 100515 10.5.15 [mariadb-10.5]
                        Runtime: 100515 10.5.15
Library version: SQLite: Compile: 3.34.1
                         Runtime: 3.34.1
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 0000cffc 64205022 0000001c
cwd=/root 3 args: exim -bd -d-all+tls
trusted user
admin user
dropping to exim gid; retaining priv uid
fresh-exec forking for cipher-validate
fresh-exec forked for cipher-validate: 433835
postfork: cipher-validate
tls_require_ciphers expands to "NORMAL:%COMPAT"

>>>>>>>>>>>>>>>> Exim pid=433835 (cipher-validate) terminating with rc=0 >>>>>>>>>>>>>>>>

tls_validate_require_cipher child 433835 ended: status=0x0
433834 creating notifier socket
433834 @/var/spool/exim4/exim_daemon_notify
433834 listening on all interfaces (IPv6) port 25
433834 listening on all interfaces (IPv4) port 25
433834 listening on all interfaces (IPv6) port 465
433834 listening on all interfaces (IPv4) port 465
433834 listening on all interfaces (IPv6) port 587
433834 listening on all interfaces (IPv4) port 587
433834 listening on all interfaces (IPv6) port 443
433834 listening on all interfaces (IPv4) port 443
433834 pid written to /run/exim4/exim.pid
433834 LOG: MAIN
433834 exim 4.96 daemon started: pid=433834, no queue runs, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4) port 443 (IPv6 and IPv4)
433834 GnuTLS global init required
433834 TLS: basic cred init, server
433834 tls_set_watch: '/etc/exim4/duck.certkey'
433834 watch dir '/etc/exim4'
433834 TLS: preloading server certs
433834 GnuTLS<3>: ASSERT: ../../../lib/x509/attributes.c[_x509_parse_attribute]:103
433834 GnuTLS<3>: ASSERT: ../../../lib/x509/attributes.c[_x509_parse_attribute]:174
433834 GnuTLS<3>: ASSERT: ../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:111
433834 GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[get_alt_name]:1848
433834 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
433834 TLS: cert/key 0 /etc/exim4/duck.certkey registered
433834 TLS: not preloading CA bundle for server
433834 TLS: preloading cipher list for server: NORMAL:%COMPAT
433834 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
433834 TLS: basic cred init, client
433834 TLS: not preloading client certs, for transport 'remote_smtp'
433834 TLS: preloading CA bundle for transport 'remote_smtp'
433834 GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1025
433834 Added 129 certificate authorities
433834 TLS: not preloading CRL, for transport 'remote_smtp'
433834 TLS: basic cred init, client
433834 TLS: not preloading client certs, for transport 'remote_smtp_smarthost'
433834 TLS: preloading CA bundle for transport 'remote_smtp_smarthost'
433834 GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1025
433834 Added 129 certificate authorities
433834 TLS: not preloading CRL, for transport 'remote_smtp_smarthost'
433834 daemon running with uid=106 gid=112 euid=106 egid=112
433834 Listening...
433834 Connection request from ::1 port 46460
433834 daemon forking for daemon-accept
433834 daemon forked for daemon-accept: 433838
433834 1 SMTP accept process running
433834 Listening...
433838 postfork: daemon-accept
433838 Process 433838 is handling incoming connection from [::1]
433838 initialising GnuTLS as a server
433838 initialising GnuTLS server session
433838 Expanding various TLS configuration options for session credentials
433838 server certs were preloaded
433838 verify certificates = /etc/ssl/certs/ca-certificates.crt size=200313
433838 GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1025
433838 Added 129 certificate authorities
433838 Initialising GnuTLS server params
433838 Loading default hard-coded DH params
433838 GnuTLS<3>: ASSERT: ../../lib/dh.c[gnutls_dh_params_import_pkcs3]:556
433838 Loaded fixed standard D-H parameters
433838 cipher list preloaded
433838 TLS: a client certificate will not be requested
433838 GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1185
433838 GnuTLS<3>: ASSERT: ../../lib/db.c[_gnutls_server_restore_session]:334
433838 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
433838 TLS: no SNI presented in handshake
433838 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for compatibility
433838 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
433838 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.33: GNUTLS_DHE_RSA_AES_128_CBC_SHA1
433838 GnuTLS<3>: ASSERT: ../../lib/extv.c[gnutls_ext_raw_parse]:141
433838 GnuTLS<3>: ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1741
433838 GnuTLS<3>: ASSERT: ../../lib/handshake.c[handshake_server]:3480
433838 error -56 from gnutls_handshake: The requested data were not available.
433838 LOG: MAIN
433838 TLS error on connection from localhost [::1] (gnutls_handshake): The requested data were not available.
433838 >>>>>>>>>>>>>>>> Exim pid=433838 (daemon-accept) terminating with rc=0 >>>>>>>>>>>>>>>>
433834 child 433838 ended: status=0x0
433834 normal exit, 0
433834 0 SMTP accept processes now running
433834 Listening...


For comparison, with Exim version 4.94 I get the following:

root@eximtest:~# exim -bd -d-all+tls
Exim version 4.94.2 uid=0 gid=0 pid=435384 D=10000000
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [10.2.1 20210110]
Library version: Glibc: Compile: 2.31
                        Runtime: 2.31
Library version: BDB: Compile: Berkeley DB 5.3.28: (September  9, 2013)
                      Runtime: Berkeley DB 5.3.28: (September  9, 2013)
Library version: GnuTLS: Compile: 3.7.1
                         Runtime: 3.7.1
Library version: IDN2: Compile: 2.3.0
                       Runtime: 2.3.0
Library version: Stringprep: Compile: 1.33
                             Runtime: 1.33
Library version: Cyrus SASL: Compile: 2.1.27
                             Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
Library version: MySQL: Compile: 100510 10.5.10 [mariadb-10.5]
                        Runtime: 100515 10.5.15
Library version: SQLite: Compile: 3.34.1
                         Runtime: 3.34.1
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 0000cffc 19005022 0000000f
cwd=/root 3 args: exim -bd -d-all+tls
trusted user
admin user
dropping to exim gid; retaining priv uid
fresh-exec forking for cipher-validate
fresh-exec forked for cipher-validate: 435385
postfork: cipher-validate
tls_require_ciphers expands to "NORMAL:%COMPAT"

>>>>>>>>>>>>>>>> Exim pid=435385 (cipher-validate) terminating with rc=0 >>>>>>>>>>>>>>>>

tls_validate_require_cipher child 435385 ended: status=0x0
435384 creating notifier socket
435384 @/var/spool/exim4/exim_daemon_notify
435384 listening on all interfaces (IPv6) port 25
435384 listening on all interfaces (IPv4) port 25
435384 listening on all interfaces (IPv6) port 465
435384 listening on all interfaces (IPv4) port 465
435384 listening on all interfaces (IPv6) port 587
435384 listening on all interfaces (IPv4) port 587
435384 listening on all interfaces (IPv6) port 443
435384 listening on all interfaces (IPv4) port 443
435384 pid written to /run/exim4/exim.pid
435384 LOG: MAIN
435384 exim 4.94.2 daemon started: pid=435384, no queue runs, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4) port 443 (IPv6 and IPv4)
435384 daemon running with uid=106 gid=112 euid=106 egid=112
435384 Listening...
435384 Connection request from ::1 port 35782
435384 daemon forking for daemon-accept
435384 daemon forked for daemon-accept: 435388
435384 1 SMTP accept process running
435384 Listening...
435388 postfork: daemon-accept
435388 Process 435388 is handling incoming connection from [::1]
435388 initialising GnuTLS as a server
435388 GnuTLS global init required.
435388 initialising GnuTLS server session
435388 Expanding various TLS configuration options for session credentials.
435388 certificate file = /etc/exim4/duck.certkey
435388 key file = /etc/exim4/duck.certkey
435388 GnuTLS<3>: ASSERT: ../../../lib/x509/attributes.c[_x509_parse_attribute]:103
435388 GnuTLS<3>: ASSERT: ../../../lib/x509/attributes.c[_x509_parse_attribute]:174
435388 GnuTLS<3>: ASSERT: ../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:111
435388 GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[get_alt_name]:1848
435388 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
435388 TLS: cert/key 0 /etc/exim4/duck.certkey registered
435388 verify certificates = /etc/ssl/certs/ca-certificates.crt size=200313
435388 GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1025
435388 Added 129 certificate authorities.
435388 GnuTLS session cipher/priority "NORMAL:%COMPAT"
435388 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
435388 TLS: a client certificate will not be requested.
435388 GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1185
435388 GnuTLS<3>: ASSERT: ../../lib/db.c[_gnutls_server_restore_session]:334
435388 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
435388 TLS: no SNI presented in handshake.
435388 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for compatibility
435388 GnuTLS<2>: checking 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) for compatibility
435388 GnuTLS<2>: checking 00.45 (GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1) for compatibility
435388 GnuTLS<2>: checking 00.88 (GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1) for compatibility
435388 GnuTLS<2>: checking 00.16 (GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1) for compatibility
435388 GnuTLS<2>: checking 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) for compatibility
435388 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
435388 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.35: GNUTLS_RSA_AES_256_CBC_SHA1
435388 GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1185
435388 GnuTLS<3>: ASSERT: ../../lib/record.c[check_recv_type]:623
435388 GnuTLS<1>: Received record packet of unknown type 113


113 is the "q" in "quit" from my test script, so that's expected.

--
Jasen.