On 2022-09-30, Viktor Dukhovni via Exim-users <exim-users@???> wrote:
> On Fri, Sep 30, 2022 at 01:21:21AM -0000, Jasen Betts via Exim-users wrote:
>
>> > With the older Exim, GnuTLS appears to consider six cipher suites before
>> > finding a suitable choice (after skipping all the DHE candidates).
>>
>> I can disable DHE_RSA by saying
>>
>> tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA
>>
>> and now it chooses the same suite that 4.94 was choosing
>> but there is still an error after the suite is chosen.
>
> You could keep debugging GnuTLS, or just use a version of Exim with TLS
> support via OpenSSL, which will likely just work. Your call.
>
> Some resource that GnuTLS expects to use is not available when it is
> initialised by the problem version of Exim. If not a DHE group,
> likely something else related cryptography. To debug, you'd need
> to figure out where that error is raised. Lack of help from strace
> is not unexpected.
It seems to be ALPN causing the problem.
this was the commit that "broke" it...
commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
Author: Jeremy Harris <jgh146exb@???>
Date: Tue Jun 22 23:04:59 2021 +0100
TLS: as server, reject connections with ALPN indicating non-smtp use
The problem seems to be "gnutls_ext_raw_parse" returning
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when ALPN is not being used.
(or when no extensions are being used?) this is undocumented
behaviour, but is sematically compatible with the description of that
function.
This patch seems to fix it in my test case. I will try real-world tests next week.
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7a6db94e1..9fc921064 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1142,8 +1142,9 @@ tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
{
/* Call fn for each extension seen. 3.6.3 onwards */
-return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+ int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+ return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc ;
}
--
Jasen.