> On 2010-04-09 at 11:32 +0200, Martin Tscholak wrote: >> i tried to use a smtp transport with tls_require_ciphers set (openssl). >> Exim crashed with following log line and the message was freezed. >> >> 2010-04-09 12:26:01 1O0BPV-0003bv-Gk == [email protected] R=simple >> T=remote_smtp defer (-1): smtp transport process returned non-zero >> status 0x000b: terminated by signal 11 > > There have been a number of OpenSSL releases recently, with security > updates. Did you upgrade OpenSSL but not recompile Exim? (Newer Exim > will give you the build/run-time versions of OpenSSL in { exim -bV } > output). For the most part, recent OpenSSL has been *much* better about > ABI compatibility, but this is still my first suspicion when I see > segfaults in OpenSSL usage from Exim. > >> if i specified more than one explicit cipher, exim crashed. A Backtrace >> showed it crashed in X509_get_subject_name(server_cert) in function >> tls_client_start. > > This is unusual. I myself run with tls_require_ciphers set to a list, > but do not see these crashes, so it's not that simple. > > % exim -bP tls_require_ciphers > tls_require_ciphers = > ALL:!SSLv2:!LOW:!EXPORT:!EDH:!ADH:!aNULL:!NULL:!DES:@STRENGTH >
This is the strange about it. The global option works like a charm, only if tls_require_cipher is set to ALL in a transport, exim crashes. >> is the cause. But i am clueless now how to proceed. Attached a core and >> exim.conf. > > (1) core files are not much use without the corresponding binary > (2) please don't send core-files to a mailing-list; it's more common to > put the core-file and binary somewhere and post the URL > (3) You don't mention your OS/distribution, making it even harder to > replicate > > -Phil 1+2: ACK, sorry about that. I am now using debian squeeze as distribution (lenny before). I recompiled exim4 (4.71) to use openssl as library and exim crashed the same way. To be sure i compiled exim from trunk (4.72) and it crashed the same way. I tried your tls_require_ciphers string and it worked! I suspect, the receiving server uses an anonymous cipher to encrypt the connection and if i read correctly http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html server_cert in tls_client_start is NULL. Information: Distribution: Debian Squeeze exim -bV: Exim version 4.72 #1 built 10-Apr-2010 11:30:05 Copyright (c) University of Cambridge, 1995 - 2007 Berkeley DB: Berkeley DB 4.8.26: (December 18, 2009) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 OpenSSL compile-time version: OpenSSL 0.9.8n 24 Mar 2010 OpenSSL runtime version: OpenSSL 0.9.8n 24 Mar 2010 Configuration file is /etc/exim4/exim4.conf backtrace: Core was generated by `/usr/sbin/exim -Mc 1O0YPr-0005pA-3Q'. Program terminated with signal 11, Segmentation fault. #0 X509_get_subject_name (a=0x6) at x509_cmp.c:130 130 x509_cmp.c: No such file or directory. in x509_cmp.c (gdb) bt #0 X509_get_subject_name (a=0x6) at x509_cmp.c:130 #1 0x080c9479 in smtp_deliver () #2 0x080cbcec in smtp_transport_entry () #3 0x0805b060 in do_remote_deliveries () #4 0x0805e445 in deliver_message () #5 0x08067ba8 in main () Thanks Martin -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
