[exim-dev] [Bug 3143] New: TLS connect fails with OpenSSL 3.x

Exim Bugzilla via Exim-dev Sun, 23 Mar 2025 01:34:04 -0700

https://bugs.exim.org/show_bug.cgi?id=3143


            Bug ID: 3143
           Summary: TLS connect fails with OpenSSL 3.x
           Product: Exim
           Version: 4.98
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
          Assignee: jgh146...@wizmail.org
          Reporter: e...@freakout.de
                CC: exim-dev@lists.exim.org

Since almost a decade i have a working self-compiled setup of
my mail-server with always up-to-date versions of openssl+exim.
This setup works when i compile exim with openssl-1.1.1w
headers and link to openssl-1.1.1w libraries just perfect:
```
pie2 acme]# /opt/ssl/bin/openssl s_client -connect to.dasido.de:smtp -starttls
smtp </dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = to.dasido.de
verify return:1
---
Certificate chain
 0 s:CN = to.dasido.de
   i:C = US, O = Let's Encrypt, CN = R10
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 29 08:51:42 2024 GMT; NotAfter: Mar 29 08:51:41 2025 GMT
 1 s:C = US, O = Let's Encrypt, CN = R10
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF6TCCBNGgAwIBAgISA1q8tLWvupwE2cr+yPVIhP9EMA0GCSqGSIb3DQEBCwUA
...
-----END CERTIFICATE-----
subject=CN = to.dasido.de
issuer=C = US, O = Let's Encrypt, CN = R10
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3922 bytes and written 431 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 HELP
DONE
```

When i compile exim with openssl-3.0.16 headers and link to
openssl-3.0.16 libraries with the same build scripts i can no
more connect to the exim server via TLS:
```
pie2 acme]# /opt/ssl/bin/openssl s_client -connect to.dasido.de:smtp -starttls
smtp </dev/null
CONNECTED(00000003)
00000000:error:0A00010B:SSL routines:(unknown function):wrong version
number:ssl/record/ssl3_record.c:355:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 319 bytes and written 351 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

log in mailmainlog on the server side:
2025-03-22 17:01:51 TLS error on connection from pie2.ypack.de
(mail.example.com) [188.138.31.227]
 (SSL_CTX_set_option(0x42004000)): error:00000000:lib(0):func(0):reason(0)

2025-03-22 17:01:51 SMTP call from pie2.ypack.de (mail.example.com)
[188.138.31.227]
 dropped: too many syntax or protocol errors (last command was
"?\026?\024?\035?\027?\036?\031?\030
\001?\001\001\001\002\001\003\001\004?#???\026???\027???\r?*?(\004\003\005\003\006\003\b\007\b\b\b
       \b",  C=EHLO,STARTTLS)
```
The relevant section on my configure-file:
```
tls_advertise_hosts = *
tls_certificate = /etc/exim/to.dasido.de.crt
tls_privatekey = /etc/exim/to.dasido.de.key

local_interfaces = 192.168.102.29 : 80.156.57.204
# 0.0.0.0
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465

qualify_domain = to.dasido.de
```

The relevant adjustments to Makefile are:
```
@@ -212,12 +213,12 @@
 # If you are building with TLS, the library configuration must be done:

 # Uncomment this if you are using OpenSSL
-# USE_OPENSSL=yes
+USE_OPENSSL=yes
 # TLS_LIBS=-lssl -lcrypto
-# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+TLS_LIBS=-Wl,-rpath,/opt/ssl/lib -L/opt/ssl/lib -lssl -lcrypto

 # Uncomment this if you are using GnuTLS
 # USE_GNUTLS=yes
@@ -270,7 +271,7 @@
 # auxiliary programs. If the include files are not in a standard place, you
can
 # set TLS_INCLUDE to specify where they are, for example:

-# TLS_INCLUDE=-I/usr/local/openssl/include/
+TLS_INCLUDE=-I/opt/ssl/include/
 # or
 # TLS_INCLUDE=-I/opt/gnu/include

@@ -321,7 +322,7 @@

 # This one is very special-purpose, so is not included by default.

-# ROUTER_IPLOOKUP=yes
+ROUTER_IPLOOKUP=yes
```

Info about the build environment (32bit Linux):
```
exim-4.98.1-2
gcc version 12.2.0 (GCC)
GNU assembler version 2.38 (i686-pc-linux-gnu) using BFD version (GNU Binutils)
2.38
GNU ld (GNU Binutils) 2.38
GNU Make 4.4.1
```

I have searched intesively for a solution but unsuccessful. Can you help?

Cheers Axel

-- 
You are receiving this mail because:
You are on the CC list for the bug.

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-dev-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim-dev] [Bug 3143] New: TLS connect fails with OpenSSL 3.x

Reply via email to