Dear Longtermers Watching the exim logs of my wheezy server, I discover a lot of connection aborts of incoming TLS connections. The error is quite generic: "A TLS packet with unexpected length was received." This seems to be a often observed problem since long time.
Unfortunately the error is increasingly more often observed today compared to earlier, e.g. today vs. October 2015: 41% vs. 3% (Counting the error over one month in relation to the number of received messages). It occurs with ebay, sendgrid and few others. There are many TLS connections that do work well without an error. There are some bugs reports related to it, with a long history: #740160 - gnutls unusable with cacert SHA2-512 sigs https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740160 #737921 - [TLS1.2] gnutls only likes SHA1 and SHA256 certificates https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921 #482404 - A TLS packet with unexpected length was received when receiving mail from MS Exchange 2003 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482404 #348046 - multiple GnuTLS issues - please only add information to blocking bugs https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348046 One reason is libgnutls26 fails with sha512 keys, this can be worked around by adding the corresponding domains to tls_try_verify_exceptions. Unfortunately this is not a remedy for all connecting hosts, it works with gmx but not others. With the increasing number of this error emails get delayed or do not get delivered at all. I know LTS is not about fixing bugs, this one is critical though and it affects probably many wheezy installations. As it gets worse with time, it might be that some one would like to care anyway or maybe there is a known solution to this problem I haven't found in the net. Any advice is highly appreciated - I want to keep encrypted connections as the first option for connecting hosts. Thank you for your help! Best regards, Adrian Zaugg.
