On 2012-05-19 14:50, Phil Pennock wrote: > I have uploaded Exim 4.80 RC2 to: > ftp://ftp.exim.org/pub/exim/exim4/test/ [..] > Please report issues in reply to this email, on exim-users.
I think there is some TLS interoperability issue between Exim 4.80 RC2 built with GnuTLS and NSS (Netscape Security Services) on the client side. I built RC2 on Ubuntu 12.04 x86_64 and as a result Thunderbird email client on the same platform was not able to negotiate STARTSSL any longer. The Thunderbird error message was not helpful at all: Sending of message failed. The message could not be sent using SMTP server localhost for an unknown reason. Please verify that your SMTP server settings are correct and try again, or contact your network administrator. On the Exim side I see this (exim -bd -d-all+tls): 18935 Listening... 18935 Connection request from 127.0.0.1 port 47545 18935 1 SMTP accept process running 18935 Listening... 18939 Process 18939 is handling incoming connection from [127.0.0.1] 18939 Process 18939 is ready for new message 18939 initialising GnuTLS as a server 18939 GnuTLS global init required. 18939 initialising GnuTLS server session 18939 Expanding various TLS configuration options for session credentials. 18939 certificate file = /opt/exim/exim.crt 18939 key file = /opt/exim/exim.key 18939 TLS: cert/key registered 18939 TLS: tls_verify_certificates not set or empty, ignoring 18939 Initialising GnuTLS server params. 18939 GnuTLS tells us that for D-H PK, NORMAL is 2432 bits. 18939 read D-H parameters from file "/var/spool/exim/gnutls-params-2432" 18939 initialized server D-H parameters 18939 GnuTLS using default session cipher/priority "NORMAL" 18939 TLS: a client certificate will not be requested. 18939 Received TLS SNI "localhost" (unused for certificate selection) 18939 LOG: MAIN 18939 TLS error on connection from localhost [127.0.0.1 (gnutls_handshake): A TLS packet with unexpected length was received. 18939 TLS failed to start 18939 LOG: smtp_connection MAIN 18939 SMTP connection from localhost [127.0.0.1] closed by EOF 18935 child 18939 ended: status=0x0 18935 normal exit, 0 18935 0 SMTP accept processes now running 18935 Listening... Exim 4.80 RC2 has the following relevant build options: SUPPORT_TLS=yes USE_GNUTLS=yes USE_GNUTLS_PC=gnutls And in the configuration: tls_advertise_hosts = * tls_certificate = /opt/exim/exim.crt tls_privatekey = /opt/exim/exim.key daemon_smtp_ports = 25 : 443 : 587 tls_on_connect_ports = 443 Everything works fine with Exim 4.77 with the following build options: SUPPORT_TLS=yes USE_GNUTLS=yes TLS_LIBS=-lgnutls -ltasn1 -lgcrypt ...and the same run-time configuration. To debug this further, I pointed my firefox browser (which also uses NSS) to https://localhost/ (which is a bit odd way to debug SMTP problems, but I could not find any simple command-line client for talking TLS with NSS). With firefox I got the following message when connecting to 4.80 RC2: Secure Connection Failed An error occurred during a connection to localhost. Unable to generate public/private key pair. (Error code: sec_error_keygen_fail) The log on the server side says again: "A TLS packet with unexpected length was received." When connecting with chromium I get the following: This webpage is not available The webpage at https://localhost/ might be temporarily down or it may have moved permanently to a new web address. Error 2 (net::ERR_FAILED): Unknown error. When connecting to Exim 4.77 with GnuTLS using firefox I get the usual complaint about untrusted certificate. After confirming a security exception I can see the following in Exim's debug output: 20776 SMTP syntax error in "GET /favicon.ico HTTP/1.1" H=localhost [127.0.0.1] unrecognized command This obviously indicates that the TLS connection was successfully negotiated this time. If I compile Exim 4.80 RC2 with OpenSSL everything works fine. Also if I test against Exim 4.80 RC2 with GnuTLS using "openssl s_client" or swaks I do not have any issues. This seems to be NSS specific. The GnuTLS library version on Ubuntu 12.04 is "2.12.14-5ubuntu3" and NSS library is "3.13.1.with.ckbi.1.88-1ubuntu6". I am trying this out next with Scientific Linux 6.2 (should be the same as RHEL/CentOS 6.2) which has a different GnuTLS version. But it will take some time. Meanwhile, is anyone else able to reproduce this on the same or another platform? Compile Exim 4.80 RC2 with GnuTLS and try to connect to it with anything that uses NSS, such as Thunderbird, Firefox, Chromium etc. Can you get a successful TLS connection? I am unsure how to debug this further (I am not familiar with any of these TLS libraries) but will be happy to assist. -- Janne Snabb / EPIPE Communications [email protected] - http://epipe.com/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
