Re: [exim] GnuTTS woes

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] GnuTTS woes
On Thu, Sep 29, 2022 at 03:31:59AM -0000, Jasen Betts via Exim-users wrote:

> This client called itself "Paradox" in the SMTP ehlo, I think it's
> probably an alarm system. I have an example TLS hello packet now:
>
> 16030000430100003f0302ffffffff923e9988d02b8fc276bdcf02ccb6fc3900
> d052828c650ccd8c0200400000180033003900450088001600350084002f0041
> 000a000500040100


The "tshark" decode for this Client Hello is:

    Transport Layer Security
        SSLv3 Record Layer: Handshake Protocol: Client Hello
            Content Type: Handshake (22)
            Version: SSL 3.0 (0x0300)
            Length: 67
            Handshake Protocol: Client Hello
                Handshake Type: Client Hello (1)
                Length: 63
                Version: TLS 1.1 (0x0302)
                Random: ffffffff923e9988d02b8fc276bdcf02ccb6fc3900d052828c650ccd8c020040
                    GMT Unix Time: Feb  7, 2106 01:28:15.000000000 EST
                    Random Bytes: 923e9988d02b8fc276bdcf02ccb6fc3900d052828c650ccd8c020040
                Session ID Length: 0
                Cipher Suites Length: 24
                Cipher Suites (12 suites)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                    Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                    Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                    Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                    Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Compression Methods Length: 1
                Compression Methods (1 method)
                    Compression Method: null (0)


So this client seems to support SSL 3.0 through TLS 1.1, with RSA and
mostly SHA1. The TLS Client HELLO includes no TLS 1.0 extensions.

> tls_require_ciphers expands to "NORMAL:%COMPAT"
> 433834 TLS: preloading cipher list for server: NORMAL:%COMPAT
> 433834 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
> 433838 Initialising GnuTLS server params
> 433838 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for compatibility


First client cipher chosen. But does the server support TLS 1.1 and
below? Perhaps Exim (or GnuTLS) defaults to TLS 1.2 or higher?

> 433838 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.33: GNUTLS_DHE_RSA_AES_128_CBC_SHA1
> 433838 error -56 from gnutls_handshake: The requested data were not available.


Here, the first ciphersuite is chosen, but perhaps then fails for lack
of appropriate DHE parameters? There may be some adverse interaction
between DHE group selection and TLS 1.1 and below in the newer Exim.

> 435388 TLS: no SNI presented in handshake.
> 435388 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for compatibility
> 435388 GnuTLS<2>: checking 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) for compatibility
> 435388 GnuTLS<2>: checking 00.45 (GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1) for compatibility
> 435388 GnuTLS<2>: checking 00.88 (GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1) for compatibility
> 435388 GnuTLS<2>: checking 00.16 (GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1) for compatibility
> 435388 GnuTLS<2>: checking 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) for compatibility
> 435388 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
> 435388 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.35: GNUTLS_RSA_AES_256_CBC_SHA1


With the older Exim, GnuTLS appears to consider six cipher suites before
finding a suitable choice (after skipping all the DHE candidates).

-- 
    Viktor.