On 2022-09-30, Andrew C Aitchison via Exim-users <exim-users@???> wrote:
> On Fri, 30 Sep 2022, Jasen Betts via Exim-users wrote:
>
>> On 2022-09-30, Viktor Dukhovni via Exim-users <exim-users@???> wrote:
>>> On Fri, Sep 30, 2022 at 01:21:21AM -0000, Jasen Betts via Exim-users wrote:
>>>
>>>>> With the older Exim, GnuTLS appears to consider six cipher suites before
>>>>> finding a suitable choice (after skipping all the DHE candidates).
>>>>
>>>> I can disable DHE_RSA by saying
>>>>
>>>> tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA
>>>>
>>>> and now it chooses the same suite that 4.94 was choosing
>>>> but there is still an error after the suite is chosen.
>>>
>>> You could keep debugging GnuTLS, or just use a version of Exim with TLS
>>> support via OpenSSL, which will likely just work. Your call.
>>>
>>> Some resource that GnuTLS expects to use is not available when it is
>>> initialised by the problem version of Exim. If not a DHE group,
>>> likely something else related cryptography. To debug, you'd need
>>> to figure out where that error is raised. Lack of help from strace
>>> is not unexpected.
>>
>> It seems to be ALPN causing the problem.
>>
>> this was the commit that "broke" it...
>>
>> commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
>> Author: Jeremy Harris <jgh146exb@???>
>> Date: Tue Jun 22 23:04:59 2021 +0100
>>
>> TLS: as server, reject connections with ALPN indicating non-smtp use
>>
>> The problem seems to be "gnutls_ext_raw_parse" returning
>> GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when ALPN is not being used.
>> (or when no extensions are being used?) this is undocumented
>> behaviour, but is sematically compatible with the description of that
>> function.
>
> IIRC you were testing on port 443.
Recently I changed to testing on 465.
Testing 4.96 on 443 showed negative results for many web browsers
(unsurprisingly now) versin 4.94 (which was released just before ALPN
was implemented in exim) gives positive results.
> Just out of interest,
> what happens if you use a port without a special TLS meaning ?
Recently I've just been replaying the recorded Paradox "TLS hello" for testing.
Testssl.sh primes its ALPN requests based on the port number used (but
that can probably be overridden)
--
Jasen.