[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Wolfgang
Dátum:  
Címzett: exim-users
Új témák: [exim] Re: Debug TLS/DANE problems
Tárgy: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
Hello Jeremy,

thanks for this very helpful hint!

> Actual debug output from the Exim system. I pointed out how best
> to do that on the 2nd (assuming that the Exim system is the
> accepting end for the connection).


> [ In case it's an outbound connection at issue, a simple way to get
>   debug is:
>             exim -d+all -odf fred@??? </dev/null 2>&1 | tee debuglog

[...]

> ]



doing so I was able to catch the GnuTLS failing connection:
======================================================================

17:46:01 1566 85.215.77.84 in hosts_require_ocsp? no (option unset)
17:46:01 1566 85.215.77.84 in hosts_request_ocsp? yes (matched "*")
17:46:01 1566 initialising GnuTLS as a client on fd 6
17:46:01 1566 GnuTLS global init required
17:46:01 1566 initialising GnuTLS client session
17:46:01 1566 Expanding various TLS configuration options for session credentials
17:46:01 1566 TLS: basic cred init, client
17:46:01 1566 TLS: no client certificate specified; okay
17:46:01 1566 Added 140 certificate authorities
17:46:01 1566 GnuTLS using default session cipher/priority "NORMAL"
17:46:01 1566 Setting D-H prime minimum acceptable bits to 1024
17:46:01 1566 85.215.77.84 in tls_verify_hosts? no (option unset)
17:46:01 1566 85.215.77.84 in tls_try_verify_hosts? yes (matched "*")
17:46:01 1566 85.215.77.84 in tls_verify_cert_hostnames? yes (matched "*")
17:46:01 1566 TLS: server cert verification includes hostname: "mx06.et.lindenberg.one"
17:46:01 1566 TLS: server certificate verification optional
17:46:01 1566 TLS: will request OCSP stapling
17:46:01 1566 85.215.77.84 in tls_resumption_hosts? no (option unset)
17:46:01 1566 about to gnutls_handshake
17:46:01 1566 TLS session fail: (gnutls_handshake): Key usage violation in certificate has been detected.
17:46:01 1566 SMTP(close)>>
17:46:01 1566 cmdlog: '220:EHLO:250-:STARTTLS:220'
17:46:01 1566 85.215.77.84 in hosts_require_tls? yes (matched "*")
17:46:01 1566 set_process_info: 1566 delivering 1sQU5Q-0000PD-2z: just tried mx06.et.lindenberg.one [85.215.77.84] for test@???: result DEFER

and the OpenSSL working connection:
=====================================
17:32:15  1168   SMTP>> STARTTLS
17:32:15  1168 cmd buf flush 10 bytes
17:32:15  1168 read response data: size=24
17:32:15  1168   SMTP<< 220 Ready to start TLS
17:32:15  1168 85.215.77.84 in hosts_require_ocsp? no (option unset)
17:32:15  1168 85.215.77.84 in hosts_request_ocsp?
17:32:15  1168  list element: *
17:32:15  1168  85.215.77.84 in hosts_request_ocsp? yes (matched "*")
17:32:15  1168 setting  SSL CTX options: 0000000042004000
17:32:15  1168 Initialized TLS
17:32:15  1168 85.215.77.84 in tls_verify_hosts? no (option unset)
17:32:15  1168 85.215.77.84 in tls_try_verify_hosts?
17:32:15  1168  list element: *
17:32:15  1168  85.215.77.84 in tls_try_verify_hosts? yes (matched "*")
17:32:15  1168 tls_verify_certificates: system
17:32:15  1168 85.215.77.84 in tls_verify_cert_hostnames?
17:32:15  1168  list element: *
17:32:15  1168  85.215.77.84 in tls_verify_cert_hostnames? yes (matched "*")
17:32:15  1168 Cert hostname to check: "mx06.et.lindenberg.one"
17:32:15  1168 85.215.77.84 in tls_resumption_hosts? no (option unset)
17:32:15  1168 Calling SSL_connect
17:32:15  1168 SSL hshake_start: before SSL initialization
17:32:15  1168 SSL SSL_connect,state_chg: before SSL initialization
17:32:15  1168 SSL SSL_connect,state_chg: SSLv3/TLS write client hello
17:32:15  1168 SSL SSL_connect,state_chg: SSLv3/TLS write client hello
17:32:15  1168 SERVER_HANDSHAKE_TRAFFIC_SECRET ebdcb2de396f0ac9ef391a..
17:32:15  1168 SSL SSL_connect,state_chg: SSLv3/TLS read server hello
17:32:15  1168 SSL SSL_connect,state_chg: TLSv1.3 read encrypted extensions
17:32:15  1168 LOG: MAIN
17:32:15  1168   [85.215.77.84] SSL verify error: depth=0 error=self-signed certificate cert=/C=DE/ST=BW/L=Karlsruhe/O=Lindenberg/OU=Tests/CN=et.lindenberg.one
17:32:15  1168 SSL verify failure overridden (host in tls_try_verify_hosts)
17:32:15  1168 mx06.et.lindenberg.one suitable for cert, per OpenSSL?  yes
17:32:15  1168 SSL verify ok: depth=0 SN=/C=DE/ST=BW/L=Karlsruhe/O=Lindenberg/OU=Tests/CN=et.lindenberg.one
17:32:15  1168 SSL SSL_connect,state_chg: SSLv3/TLS read server certificate
17:32:15  1168 SSL SSL_connect,state_chg: TLSv1.3 read server certificate verify
17:32:15  1168 EXPORTER_SECRET ebdcb2de396f0ac9ef391ac0e2f69d408fa87164...
17:32:15  1168 SERVER_TRAFFIC_SECRET_0 ebdcb2de396f0ac9ef391ac0e2f69d40...
17:32:15  1168 Received TLS status callback (OCSP stapling):
17:32:15  1168  null
17:32:15  1168 SSL SSL_connect,state_chg: SSLv3/TLS read finished
17:32:15  1168 CLIENT_HANDSHAKE_TRAFFIC_SECRET ebdcb2de396f0ac9ef391ac0e2f...
17:32:15  1168 CLIENT_TRAFFIC_SECRET_0 ebdcb2de396f0ac9ef391ac0e2f69d408fa...
17:32:15  1168 SSL SSL_connect,state_chg: SSLv3/TLS write finished
17:32:15  1168 SSL hshake_done: SSL negotiation finished successfully
17:32:15  1168 SSL_connect succeeded
17:32:15  1168 Cipher: TLS1.3:TLS_AES_256_GCM_SHA384:256
17:32:15  1168 Have channel bindings cached for possible auth usage 0x55dfd11a8650 0x55dfcf15a680
17:32:15  1168   SMTP>> EHLO myMX.sub.myDomain.top
17:32:15  1168 cmd buf flush 34 bytes
17:32:15  1168 tls_write(0x55dfd11f0218, 34)
17:32:15  1168 SSL_write(0x55dfd130e380, 0x55dfd11f0218, 34)
17:32:15  1168 outbytes=34 error=0
17:32:15  1168 Calling SSL_read(0x55dfd130e380, 0x55dfd11ef218, 4096)
17:32:15  1168 SSL SSL_connect,state_chg: SSL negotiation finished successfully
17:32:15  1168 SSL SSL_connect,state_chg: SSL negotiation finished successfully
17:32:15  1168 SSL SSL_connect,state_chg: SSLv3/TLS read server session ticket
17:32:15  1168 read response data: size=62
17:32:15  1168   SMTP<< 250-mx01.et.lindenberg.one Hello kant.sub.simple-test-bed.de
17:32:15  1168 Calling SSL_read(0x55dfd130e380, 0x55dfd11ef218, 4096)
17:32:15  1168 read response data: size=10
17:32:15  1168          250 HELP
17:32:15  1168 not using PIPELINING
17:32:15  1168 not using DSN
17:32:15  1168 85.215.77.84 in hosts_require_auth? no (option unset)
17:32:15  1168   SMTP>> MAIL FROM:<root@???>
17:32:15  1168 cmd buf flush 41 bytes
17:32:15  1168 tls_write(0x55dfd11f0218, 41)
17:32:15  1168 SSL_write(0x55dfd130e380, 0x55dfd11f0218, 41)
17:32:15  1168 outbytes=41 error=0
17:32:15  1168 Calling SSL_read(0x55dfd130e380, 0x55dfd11ef218, 4096)
17:32:15  1168 read response data: size=13
17:32:15  1168   SMTP<< 250 OK MAIL
17:32:15  1168   SMTP>> RCPT TO:<test@???>
17:32:15  1168 cmd buf flush 39 bytes
17:32:15  1168 tls_write(0x55dfd11f0218, 39)
17:32:15  1168 SSL_write(0x55dfd130e380, 0x55dfd11f0218, 39)
17:32:15  1168 outbytes=39 error=0
17:32:15  1168 sync_responses expect rcpt for test@???
17:32:15  1168 Calling SSL_read(0x55dfd130e380, 0x55dfd11ef218, 4096)
17:32:15  1168 read response data: size=13
17:32:15  1168   SMTP<< 250 OK RCPT
17:32:15  1168   SMTP>> DATA
17:32:15  1168 cmd buf flush 6 bytes
17:32:15  1168 tls_write(0x55dfd11f0218, 6)
17:32:15  1168 SSL_write(0x55dfd130e380, 0x55dfd11f0218, 6)
17:32:15  1168 outbytes=6 error=0
17:32:15  1168 sync_responses expect data
17:32:16  1168 Calling SSL_read(0x55dfd130e380, 0x55dfd11ef218, 4096)
17:32:16  1168 read response data: size=37
17:32:16  1168   SMTP<< 354 End data with <CR><LF>.<CR><LF>
17:32:16  1168   SMTP>> (writing message)
lot of DKIM messages here....


So, the only thing I can see here is, that the remote MX does not offer OCSP stapling, which in case is also not required!
Furthermore I see, that with the very same configuration OpenSSL gives a LOT more information, than GNU-TLS.

Any ideas, if that can be the cause?


regards

Wolfgang



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/