Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--pipe using tls to exim compiled with gnutls not working #30

Open
jetmore opened this issue Nov 30, 2020 · 4 comments
Open

--pipe using tls to exim compiled with gnutls not working #30

jetmore opened this issue Nov 30, 2020 · 4 comments
Labels
bug

Comments

@jetmore
Copy link
Owner

jetmore commented Nov 30, 2020

This is an old report (2014) which was just brought back to my attention by hschlittermann. It appears to be specific to Exim compiled with gnutls, which I don't think was ever tested. "The same Exim, but compiled with OpenSSL works."

swaks --tls --pipe 'exim -bh <ip>'

LOG: TLS error on connection from (SERVERNAME) [SERVERIP] (gnutls_handshake): A TLS packet with unexpected length was received.
<-  220 TLS go ahead
*** TLS startup failed (connect(): error:00000000:lib(0):func(0):reason(0))
*** STARTTLS attempted but failed

pkg-config --modversion gnutls  ---> 2.12.20
pkg-config --modversion openssl ---> 1.0.1e
@jetmore jetmore added the bug label Nov 30, 2020
@jetmore jetmore added this to the next (TLS) milestone Nov 5, 2023
@jetmore
Copy link
Owner Author

jetmore commented Nov 6, 2023

confirmed locally

openssl:

jetmore@g3:~/Documents/git/swaks/testing/regressions$ ../mta/exim-install/bin/exim -bV | egrep -i '(tls|ssl)'
Support for: crypteq iconv() IPv6 OpenSSL move_frozen_messages DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY SOCKS TCP_Fast_Open
jetmore@g3:~/Documents/git/swaks/testing/regressions$ ../../swaks --tls --to foo --quit mail --pipe '../mta/exim-install/bin/exim -bh 127.0.0.1'
=== Trying pipe to ../mta/exim-install/bin/exim -bh 127.0.0.1...
=== Connected to ../mta/exim-install/bin/exim -bh 127.0.0.1.
[...]
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started with cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
=== TLS client certificate requested and not sent
=== TLS no local certificate set
=== TLS peer DN="/C=US/ST=Indiana/O=Swaks Development (node.example.com, with-SAN)/CN=node.example.com/[email protected]"
=== TLS peer certificate failed CA verification, failed host verification (no host string available to verify)

gnutls

jetmore@g3:~/Documents/git/swaks/testing/regressions$ exim4 -bV | egrep -i '(ssl|tls)'
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event OCSP PRDR PROXY SOCKS TCP_Fast_Open
jetmore@g3:~/Documents/git/swaks/testing/regressions$ ../../swaks --tls --to foo --quit mail --pipe 'exim4 -bh 127.0.0.1'
=== Trying pipe to exim4 -bh 127.0.0.1...
=== Connected to exim4 -bh 127.0.0.1.
[...]
 -> STARTTLS
<-  220 TLS go ahead
[hangs forever]

@jetmore
Copy link
Owner Author

jetmore commented Nov 7, 2023

gnutls

$ ../../swaks --tls --to foo --quit mail --pipe 'exim4 -d -bh 127.0.0.1'
[...]
SMTP>> 220 TLS go ahead
GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_stream_read]:369
GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
GnuTLS<3>: ASSERT: ../../lib/record.c[recv_headers]:1171
GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1302
GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1448
GnuTLS<3>: ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1506
GnuTLS<3>: ASSERT: ../../lib/handshake.c[handshake_server]:3460
GnuTLS<2>: WRITE: -1 returned from 0x1, errno: 88
GnuTLS<3>: ASSERT: ../../lib/buffers.c[errno_to_gerr]:230
<-  220 TLS go ahead
GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:722
GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_send_tlen_int]:574
[hang]

testing with debug over tcp just to compare

$ sudo -u Debian-exim exim4 -d -bd -oX 1025
$ ../../swaks --tls --to foo --quit mail --server 127.0.0.1 -p 1025

 2978 SMTP>> 220 TLS go ahead
 2978 GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
 2978 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:240
 2978 TLS: no SNI presented in handshake.
 2978 GnuTLS<3>: ASSERT: ../../../lib/ext/psk_ke_modes.c[psk_ke_modes_recv_params]:136
 2978 GnuTLS<2>: checking 13.02 (GNUTLS_AES_256_GCM_SHA384) for compatibility
 2978 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:240
 2978 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 13.2: GNUTLS_AES_256_GCM_SHA384
 2978 GnuTLS<2>: EXT[0x559526a5c2a0]: server generated X25519 shared key
 2978 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
 2978 GnuTLS<3>: ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:923
 2978 GnuTLS<3>: ASSERT: ../../lib/tls13/session_ticket.c[_gnutls13_send_session_ticket]:284
 2978 GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
 2978 gnutls_handshake was successful

@jetmore
Copy link
Owner Author

jetmore commented Nov 8, 2023

This is probably not relevant but it took me forever and an incredibly dim memory to find it, so recording it for posterity

commit 56f5d9bd6bb563f4f0eab011ed665da234d93e37
Author: Philip Hazel <[email protected]>
Date:   Tue Dec 12 15:47:39 2006 +0000

    Apply John Jetmore's patch to allow tls-on-connect and STARTTLS to be
    tested/used via the -bh/-bhc/-bs options.

@jetmore
Copy link
Owner Author

jetmore commented Jan 3, 2024

dropping to backlog

@jetmore jetmore removed this from the next (TLS) milestone Jan 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jetmore