On Fri, 30 Sep 2022, Jasen Betts via Exim-users wrote:
> On 2022-09-30, Viktor Dukhovni via Exim-users <exim-users@???> wrote:
>> On Fri, Sep 30, 2022 at 01:21:21AM -0000, Jasen Betts via Exim-users wrote:
>>
>>>> With the older Exim, GnuTLS appears to consider six cipher suites before
>>>> finding a suitable choice (after skipping all the DHE candidates).
>>>
>>> I can disable DHE_RSA by saying
>>>
>>> tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA
>>>
>>> and now it chooses the same suite that 4.94 was choosing
>>> but there is still an error after the suite is chosen.
>>
>> You could keep debugging GnuTLS, or just use a version of Exim with TLS
>> support via OpenSSL, which will likely just work. Your call.
>>
>> Some resource that GnuTLS expects to use is not available when it is
>> initialised by the problem version of Exim. If not a DHE group,
>> likely something else related cryptography. To debug, you'd need
>> to figure out where that error is raised. Lack of help from strace
>> is not unexpected.
>
> It seems to be ALPN causing the problem.
>
> this was the commit that "broke" it...
>
> commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
> Author: Jeremy Harris <jgh146exb@???>
> Date: Tue Jun 22 23:04:59 2021 +0100
>
> TLS: as server, reject connections with ALPN indicating non-smtp use
>
> The problem seems to be "gnutls_ext_raw_parse" returning
> GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when ALPN is not being used.
> (or when no extensions are being used?) this is undocumented
> behaviour, but is sematically compatible with the description of that
> function.
IIRC you were testing on port 443.
Just out of interest,
what happens if you use a port without a special TLS meaning ?
--
Andrew C. Aitchison Kendal, UK
andrew@???
