On 2022-09-29, Viktor Dukhovni via Exim-users <exim-users@???> wrote:
> On Thu, Sep 29, 2022 at 03:31:59AM -0000, Jasen Betts via Exim-users wrote:
>
>> This client called itself "Paradox" in the SMTP ehlo, I think it's
>> probably an alarm system. I have an example TLS hello packet now:
>>
>> 16030000430100003f0302ffffffff923e9988d02b8fc276bdcf02ccb6fc3900
>> d052828c650ccd8c0200400000180033003900450088001600350084002f0041
>> 000a000500040100
>
> The "tshark" decode for this Client Hello is:
>
> Transport Layer Security
> SSLv3 Record Layer: Handshake Protocol: Client Hello
> Content Type: Handshake (22)
> Version: SSL 3.0 (0x0300)
> Length: 67
> Handshake Protocol: Client Hello
> Handshake Type: Client Hello (1)
> Length: 63
> Version: TLS 1.1 (0x0302)
> Random: ffffffff923e9988d02b8fc276bdcf02ccb6fc3900d052828c650ccd8c020040
> GMT Unix Time: Feb 7, 2106 01:28:15.000000000 EST
> Random Bytes: 923e9988d02b8fc276bdcf02ccb6fc3900d052828c650ccd8c020040
> Session ID Length: 0
> Cipher Suites Length: 24
> Cipher Suites (12 suites)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
> Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
> Compression Methods Length: 1
> Compression Methods (1 method)
> Compression Method: null (0)
>
> So this client seems to support SSL 3.0 through TLS 1.1, with RSA and
> mostly SHA1. The TLS Client HELLO includes no TLS 1.0 extensions.
>
>> tls_require_ciphers expands to "NORMAL:%COMPAT"
>> 433834 TLS: preloading cipher list for server: NORMAL:%COMPAT
>> 433834 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
>> 433838 Initialising GnuTLS server params
>> 433838 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for compatibility
>
> First client cipher chosen. But does the server support TLS 1.1 and
> below? Perhaps Exim (or GnuTLS) defaults to TLS 1.2 or higher?
>
>> 433838 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.33: GNUTLS_DHE_RSA_AES_128_CBC_SHA1
>> 433838 error -56 from gnutls_handshake: The requested data were not available.
>
> Here, the first ciphersuite is chosen, but perhaps then fails for lack
> of appropriate DHE parameters? There may be some adverse interaction
> between DHE group selection and TLS 1.1 and below in the newer Exim.
>
>> 435388 TLS: no SNI presented in handshake.
>> 435388 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for compatibility
>> 435388 GnuTLS<2>: checking 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) for compatibility
>> 435388 GnuTLS<2>: checking 00.45 (GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1) for compatibility
>> 435388 GnuTLS<2>: checking 00.88 (GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1) for compatibility
>> 435388 GnuTLS<2>: checking 00.16 (GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1) for compatibility
>> 435388 GnuTLS<2>: checking 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) for compatibility
>> 435388 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
>> 435388 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.35: GNUTLS_RSA_AES_256_CBC_SHA1
>
> With the older Exim, GnuTLS appears to consider six cipher suites before
> finding a suitable choice (after skipping all the DHE candidates).
I can disable DHE_RSA by saying
tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA
and now it chooses the same suite that 4.94 was choosing
but there is still an error after the suite is chosen.
442134 Initialising GnuTLS server params
442134 Loading default hard-coded DH params
442134 GnuTLS<3>: ASSERT: ../../lib/dh.c[gnutls_dh_params_import_pkcs3]:556
442134 Loaded fixed standard D-H parameters
442134 cipher list preloaded
442134 TLS: a client certificate will not be requested
442134 GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1185
442134 GnuTLS<3>: ASSERT: ../../lib/db.c[_gnutls_server_restore_session]:334
442134 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
442134 TLS: no SNI presented in handshake
442134 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for compatibility
442134 GnuTLS<2>: checking 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) for compatibility
442134 GnuTLS<2>: checking 00.45 (GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1) for compatibility
442134 GnuTLS<2>: checking 00.88 (GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1) for compatibility
442134 GnuTLS<2>: checking 00.16 (GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1) for compatibility
442134 GnuTLS<2>: checking 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) for compatibility
442134 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
442134 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.35: GNUTLS_RSA_AES_256_CBC_SHA1
442134 GnuTLS<3>: ASSERT: ../../lib/extv.c[gnutls_ext_raw_parse]:141
442134 GnuTLS<3>: ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1741
442134 GnuTLS<3>: ASSERT: ../../lib/handshake.c[handshake_server]:3480
442134 error -56 from gnutls_handshake: The requested data were not available.
442134 LOG: MAIN
442134 TLS error on connection from localhost [::1] (gnutls_handshake): The requested data were not available.
442134 >>>>>>>>>>>>>>>> Exim pid=442134 (daemon-accept) terminating with rc=0 >>>>>>>>>>>>>>>>
strace gives no indication of what the unavailable resource could be.
write(2, "442134 TLS: a client certificate"..., 55) = 55
alarm(300) = 0
getpid() = 442134
write(2, "442134 GnuTLS<3>: ASSERT: ../../"..., 68) = 68
recvfrom(14, "\26\3\0\0C", 5, 0, NULL, NULL) = 5
recvfrom(14,
"\1\0\0?\3\2\377\377\377\377\222>\231\210\320+\217\302v\275\317\2\314\266\3749\0\320R\202\214e"...,
67, 0, NULL, NULL) = 67
getrandom("\x73\x39\x4b\xed\x77\xb6\xd4\x06\x58\x91\xa3\x2a\x9d\x0a\xc2\x57\x61\x30\x24\xe5\xc5\x54\x30\x05\xb1\x65\xdc\x3b\xb7\xe5\x05\x71",
32, 0) = 32
getpid() = 442134
write(2, "442134 GnuTLS<3>: ASSERT: ../../"..., 77) = 77
getpid() = 442134
write(2, "442134 GnuTLS<3>: ASSERT: ../../"..., 85) = 85
getpid() = 442134
write(2, "442134 TLS: no SNI presented in "..., 42) = 42
getpid() = 442134
write(2, "442134 GnuTLS<2>: checking 00.33"..., 85) = 85
getpid() = 442134
write(2, "442134 GnuTLS<2>: checking 00.39"..., 85) = 85
getpid() = 442134
write(2, "442134 GnuTLS<2>: checking 00.45"..., 90) = 90
getpid() = 442134
write(2, "442134 GnuTLS<2>: checking 00.88"..., 90) = 90
getpid() = 442134
write(2, "442134 GnuTLS<2>: checking 00.16"..., 86) = 86
getpid() = 442134
write(2, "442134 GnuTLS<2>: checking 00.35"..., 81) = 81
getpid() = 442134
write(2, "442134 GnuTLS<3>: ASSERT: ../../"..., 85) = 85
getpid() = 442134
write(2, "442134 GnuTLS<2>: Selected (RSA)"..., 93) = 93
getpid() = 442134
write(2, "442134 GnuTLS<3>: ASSERT: ../../"..., 69) = 69
getpid() = 442134
write(2, "442134 GnuTLS<3>: ASSERT: ../../"..., 77) = 77
getpid() = 442134
write(2, "442134 GnuTLS<3>: ASSERT: ../../"..., 71) = 71
alarm(0) = 299
getpid() = 442134
write(2, "442134 error -56 from gnutls_ha"..., 80) = 80
sendmsg(12, {msg_name=NULL, msg_namelen=0,
msg_iov=[{iov_base="\25\3\2\0\2\2P", iov_len=7}], msg_iovlen=1,
msg_controllen=0, msg_flags=0}, 0) = 7
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
setitimer(ITIMER_REAL, {it_interval={tv_sec=0, tv_usec=0},
it_value={tv_sec=0, tv_usec=500000}}, NULL) = 0
rt_sigsuspend(~[ALRM RTMIN RT_1], 8) = ? ERESTARTNOHAND (To be
restarted if no handler)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigaction(SIGALRM, {sa_handler=0x55616ce877a0, sa_mask=[],
sa_flags=SA_RESTORER, sa_restorer=0x7f6594b3b140}, NULL, 8) = 0
rt_sigreturn({mask=[ALRM]}) = -1 EINTR (Interrupted system
call)
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
shutdown(12, SHUT_WR) = 0
--
Jasen.
