Re: [exim] GnuTTS woes

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Viktor Dukhovni
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] GnuTTS woes
On Fri, Sep 30, 2022 at 03:48:18PM +0100, Jeremy Harris via Exim-users wrote:

> OpenSSL 3.0.5 5 Jul 2022    running on Fedora 36

>
> I think using the distro standard package
> openssl-1:3.0.2-4.fc36.x86_64
> (though I note the numbers don't exactly line up)
>
> The failure mode is a TLS Alert complaining about version
> (I forget the precise wording, sorry)
> and followed by what looks like a library internal bug-triggered
> error for a BIO operation error.
>
> Clearing either no_tlsv1_1 or no_sslv3 has no effect.


Of course, if there's no support, the CLI flags don't matter. TLS 1.1 does
not work with OpenSSL 3.0.5, Though it looks more like a bug to me:

    $ openssl s_client -quiet -starttls smtp -tls1_1 -connect $(uname -n):25
    depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = R3
    verify return:1
    depth=0 CN = dnssec-stats.ant.isi.edu
    verify return:1
    C0A1EBA5F27F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2252:


Things work better with TLS 1.2:

    $ openssl s_client -quiet -starttls smtp -tls1_2 -connect $(uname -n):25
    depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = R3
    verify return:1
    depth=0 CN = dnssec-stats.ant.isi.edu
    verify return:1
    250 CHUNKING
    QUIT
    221 2.0.0 Bye


If this is still broken in 3.0.6-dev, a bug report may be appropriate.

-- 
    Viktor.