[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-25 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

Jeremy Harris  changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

--- Comment #30 from Jeremy Harris  ---
Closing given comment 29.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-09 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #29 from Serg  ---
Just for feedback,
Last changes in tls-openssl.c (Comment 27) was successfully for us.
Problems with our client-soft was solved.

Thank you for all your work.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-09 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

Marcin Gryszkalis  changed:

   What|Removed |Added

 CC||m...@fork.pl

--- Comment #28 from Marcin Gryszkalis  ---
Side note: It's possible to disable session cache on windows side for SCHANNEL
based appliactions:
https://support.microsoft.com/en-us/help/247658/how-to-configure-secure-sockets-layer-server-and-client-cache-elements

but Outlook (not sure about Outlook Express/Live Mail) uses WinHttp:
https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/
and I couldn't find any option for tls session cache.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-08 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

Git Commit  changed:

   What|Removed |Added

 CC||g...@exim.org

--- Comment #27 from Git Commit  ---
Git commit:
https://git.exim.org/exim.git/commitdiff/a28050f855e0011e0b6f1b395d65e3cebcb277a2

commit a28050f855e0011e0b6f1b395d65e3cebcb277a2
Author: Jeremy Harris 
AuthorDate: Sun Apr 8 22:45:39 2018 +0100
Commit: Jeremy Harris 
CommitDate: Sun Apr 8 22:50:49 2018 +0100

OpenSSL: Revert the disabling of the session-cache.  Bug 2255

Session cacheing is never useful, as we use a new context for every TLS
startup.
However, removing the support triggers odd behaviour from Outlook Express
(only
when there is an IMAP server on the same machine as Exim): an initial
connect
from the OE client fails, the immediate retry works.
---
 doc/doc-txt/ChangeLog |  3 +++
 src/src/tls-openssl.c | 10 --
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 903840a..5e9d2af 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -200,6 +200,9 @@ JH/36 Fix reinitialisation of DKIM logging variable between
messages.
   Previously it was possible to log spurious information in receive log
   lines.

+JH/37 Bug 2255: Revert the disable of the OpenSSL session caching.  This
+  triggered odd behaviour from Outlook Express clients.
+

 Exim version 4.90
 -
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index c142bd0..bfdfe21 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1601,9 +1601,15 @@ if (init_options)
 else
   DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");

-/* Disable session cache unconditionally */
-
+/* We'd like to disable session cache unconditionally, but foolish Outlook
+Express clients then give up the first TLS connection and make a second one
+(which works).  Only when there is an IMAP service on the same machine.
+Presumably OE is trying to use the cache for A on B.  Leave it enabled for
+now, until we work out a decent way of presenting control to the config.  It
+will never be used because we use a new context every time. */
+#ifdef notdef
 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+#endif

 /* Initialize with DH parameters if supplied */
 /* Initialize ECDH temp key parameter selection */

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-05 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #26 from exim@mx.zzux.com ---
As I see, there is four ways to avoid send error:
1 Stop using SSL/TLS at all :)
2 Set different hostnames for IMAP and SMTP
3 Change client software
4 Remove code part as described https://bugs.exim.org/show_bug.cgi?id=2255#c12
(This two lines of code I found as only suspicious addition in compare with
same file of 4.89)

Methods 1-3 requires manual intervention to client devices

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-04 Thread Viktor Dukhovni via Exim-dev 


> On Apr 4, 2018, at 2:35 PM, admin--- via Exim-dev  wrote:
> 
> We are ready to attach any dumps of exim debug or wireshark if it's necessary.

A "tshark" decode of the TLS handshake (text is better than screenshots) would
be most useful, one where the session cache mode is per the upstream patch, and
another where it is left at the default (the code setting the mode is removed).

Capture a PCAP file of the traffic with:

   # port=587 # (or 465 as appropriate)
   # tcpdump -s0 -w /some/file tcp port $port
   ... hit control-C when you think you've captured enough relevant traffic...

and post the decode for a single session from:

   $ tshark -r /some/file -d tcp.port==$port,ssl -V |
sed -ne '/^Secure Sockets Layer/,/^$/p'

You can pre-filter the PCAP file to extract just the data for a particular
client session by IP and/or client TCP port:

 # tcpdump -s0 -r /some/file -w /some/other-file tcp port $client_port and host 
$client_ip
 # tcpdump -s0 -r /some/file -w /some/other-file tcp port $client_port
 # tcpdump -s0 -r /some/file -w /some/other-file host $client_ip

then run tshark reading from "/some/other-file".

-- 
Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-04 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #25 from Serg  ---
I agree, but at this moment they are stopped supporting of substantial part of
their mail-clients (like Outlook Express, Windows Live 2009,2012, MS Office
Outlook 2003, 2007). Thats will be their answer i think - pay for new)
In any case, this remains OUR problem. Change all client's soft or keep old
version of SMTP-server. Hard choice

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-04 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #24 from Jeremy Harris  ---
I guess the other question that ought to be asked is: has the problem been
described to Microsoft, and what answer did they give?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-04 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #23 from Serg  ---
Yes, of course, we saw the difference between "old" and "new" version of
tls-openssl.c.
Patch replace line
"(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);"
to this construction:
#ifdef SSL_SESS_CACHE_NO_INTERNAL
(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_NO_INTERNAL);
#endif

And we recompile Exim with this new construction in sources.
But we don't see any difference in Exim's behavior after that.

Same errors in the exim's debug output (exim -d-all+tls -bd) like in
Description comment. And same errors on the client-side during first attempting
to set TLS-connection.

We are ready to attach any dumps of exim debug or wireshark if it's necessary.

In P.S i wrote about our attemt making little "homemade" patch which remove
source line "(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);"
and nothing add instead it. It allow our clients set first connection normal.
But its wrong way we thought.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-04 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #22 from Phil Pennock  ---
But the patch removes that line, so if you applied the patch then that line is
no longer present.

The patch replaces that line with one which leaves session cache negotiation
enabled (AIUI) but suppresses storing details.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-04 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #21 from Serg  ---
P.S. The method which is described in Comment 13 -
removing line of disabling session cache from tls-openssl.c:

"(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); "

in our case was successfull too.
Thats allow to Outlook set TLS connection on the first attempt.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-04 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #20 from Serg  ---
Thanks for feedback (and for all another work) to developers.

Hurry to talk about our results.
Sadly, but in our case we don,t get a progress in problem decision.
Steps on CentOS 7.4:
1. Download sources of Exim 4.90.1-3
2. Download a patch session-cache.patch (1118 bytes)
3. Put the patch-file in ~/rpmbuild/SOURCES
4. Change the SPEC-file in ~/rpmbuild/SPECS for processing new patch.
5. Build new RPM of Exim.
6. Check sources (~/rpmbuild/BUILD/exim-4.90.1/src/tls-openssl.c). Changes
added by patch was applied.
7. Install recompiled Exim.

Nothing changes.
First TLS connection is broken (with TLS error on connection from (companygate)
[111.111.111.111] I=[192.168.1.2]:465 (SSL_accept):
error::lib(0):func(0):reason(0)), second - works normal.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-03 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #19 from Phil Pennock  ---
Patch looks sane to me.  Folks who have experienced problems: can you please
try this patch and report back as to whether or not it addresses the problems?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-03 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

Jeremy Harris  changed:

   What|Removed |Added

 Status|NEW |ASSIGNED

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-03 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #18 from Jeremy Harris  ---
Created attachment 1080
  --> https://bugs.exim.org/attachment.cgi?id=1080=edit
set no internal session cache

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-03 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

Phil Pennock  changed:

   What|Removed |Added

 CC||p...@exim.org

--- Comment #16 from Phil Pennock  ---
I think we should seriously consider backing out that change.

while Viktor is right that it's best to not have clients spend bandwidth on
session caching stuff, it's a client-exposed protocol-level change, which means
that clients which _demand_ session caching see a difference.  The variance in
amount of traffic is fairly minimal, not worth the disruption IMO.

We might consider SSL_CTX_set_session_cache_mode(SSL_SESS_CACHE_NO_INTERNAL)
instead, to just not try to save or look up session cache stuff, but I don't
feel like digging into how portable that is across OpenSSL versions.

We're optimizing session start-up, in SMTP (which is store-and-forward, not
interactive) at the expense of client compatibility, even if it is dodgy
clients.  Unless and until there's a security issue disclosed with even
offering session resumption, let's allow it?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-03 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #17 from Phil Pennock  ---
Re forward secrecy: we don't support configuring an encryption key for session
tickets, so it's all going to be session caching.  If we disable use of the
internal session store, and don't configure an external session store, then
there's no compromise of FS because we're not storing anything which can be
used to reconstruct sessions.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-03 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #15 from Jeremy Harris  ---
Background: the coding in Exim was changed as a result of this conversation:
  https://lists.exim.org/lurker/message/20170329.184757.37924032.en.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-03 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #14 from Jeremy Harris  ---
(In reply to Serg from comment #13)
> So, which ways we have now?

Try to find out how to tell Outlook not to try to use session caching against
the SMTP target (more particularly, not to assume that the _same_ session that
it had against the IMAP target is valid for the SMTP target).

Try to find out how to tell Outlook to not use session caching at all.

Try disabling session-caching on the IMAP provider.


Warning: using session caching compromises Forward Secrecy, if I understand
correctly.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-04-03 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

Serg  changed:

   What|Removed |Added

 CC||s8...@yandex.ru

--- Comment #13 from Serg  ---
Hi,

We are also have the same problem after upgrading from 4.84 to 4.90.
So, which ways we have now?
Manually rebuild exim from sources
([url]https://bugs.exim.org/show_bug.cgi?id=2255#c12[/url])?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-30 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #12 from exim@mx.zzux.com ---
I have removed next lines

/* Disable session cache unconditionally */
(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); 

of file 'tls-openssl.c' and then Exim was recompiled.
It was solved this issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-13 Thread Viktor Dukhovni via Exim-dev 


> On Mar 13, 2018, at 12:55 PM, admin--- via Exim-dev  wrote:
> 
> You would have to set NO_TICKET on the IMAP server, not
> Exim. 
> 
> What you could try, although I do not know whether it works, 
> is to set -no_ticket in Exim, thus disabling the disabling of
> tickets. Hopefully the effect is that Exim will hand out tickets.
> Those will never match the ones carried over from IMAP and Exim
> does not offer resume anyway, so no harm done. It might not do 
> anything at all, since NO_TICKET is hardcoded into the Exim sources.

Based on this thread, it sounds to me like Outlook expects the *same*
ticket (or more generally resumable session) to work across both IMAP
and SMTP submission.  If so, then if IMAP session caching is enabled,
no matter how you configure Exim, you can't win, because the IMAP
server and SMTP server don't have an integrated shared session cache!

The only "solution" is for both IMAP and submission to not offer
session resumption.

Mind you, if the submission client just reconnects to negotiate a new
session, rather that continue with a full handshake, and this is all
transparent to the user, then apart from some noise in the logs this
is completely harmless, and you could just leave it the way it is with
IMAP sessions cached (users read a lot more mail then the send).

-- 
Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-13 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #11 from exim@mx.zzux.com ---
A day before writing this topic I was trying various combinations of
"openssl_options" in Exim config, most of them were with no effect except few
of them, when SSL/TLS was unavailable at all.

Now I've added
ssl_options = no_ticket
to Dovecot config, nothing's changed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-13 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #10 from Thorsten  ---
You would have to set NO_TICKET on the IMAP server, not
Exim. 

What you could try, although I do not know whether it works, 
is to set -no_ticket in Exim, thus disabling the disabling of
tickets. Hopefully the effect is that Exim will hand out tickets.
Those will never match the ones carried over from IMAP and Exim
does not offer resume anyway, so no harm done. It might not do 
anything at all, since NO_TICKET is hardcoded into the Exim sources.

Best regards, 
 Thorsten

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-13 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #8 from Jeremy Harris  ---
Also, given comment 5, you could try setting a nondefault openssl_options.

Before 7006ee24ec it was "+no_sslv2 +single_dh_use".
After: "+no_sslv2 +single_dh_use +no_ticket"

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-13 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #7 from Jeremy Harris  ---
It might be a good idea to ask the OpenSSL mailing list:
openssl-users.openssl.org

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-13 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

tomputer  changed:

   What|Removed |Added

 CC||e...@tomputer.nl

--- Comment #6 from tomputer  ---
Hi,

We are also experiencing the same problem after upgrading from 4.89 to 4.90.

Software versions are:
- Microsoft Outlook 2016 MSO (16.0.9029.2106)
- Exim version 4.90_1

The workaround with different server names for incoming and outgoing servers
works. It looks like the client caches something (TLS session?) for the server
name, either from the incoming our outoing connection.

We are not able to reproduce this with Swaks (Debian) or Apple Mail (macOS and
iOS) so it may be a Windows/Outlook specific issue.

Exim debug log (real names and IP's are masked):
 9919 SMTP>> 250-server.example.com Hello customer.direct-adsl.nl [11.11.11.11]
 9919 250-SIZE 52428800
 9919 250-8BITMIME
 9919 250-PIPELINING
 9919 250-AUTH PLAIN LOGIN
 9919 250-STARTTLS
 9919 250 HELP
 9919 SMTP<< STARTTLS
 9919 openssl option, adding from 1104000: 100 (no_sslv2 +no_sslv3)
 9919 openssl option, adding from 1104000: 200 (no_sslv3)
 9919 setting SSL CTX options: 0x3104000
 9919 Diffie-Hellman initialized from default with 2048-bit prime
 9919 ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding "auto" with
"prime256v1"
 9919 ECDH: curve 'prime256v1'
 9919 ECDH: enabled 'prime256v1' curve
 9919 tls_certificate file /etc/exim.pem
 9919 tls_privatekey file /etc/exim.pem
 9919 Initialized TLS
 9919 required ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-$
 9919 host in tls_verify_hosts? no (option unset)
 9919 host in tls_try_verify_hosts? no (option unset)
 9919 SMTP>> 220 TLS go ahead
 9919 Calling SSL_accept
 9919 SSL info: before/accept initialization
 9919 SSL info: before/accept initialization
 9919 Received TLS SNI "server.example.com" (unused for certificate selection)
 9919 SSL info: SSLv3 read client hello A
 9919 SSL info: SSLv3 write server hello A
 9919 SSL info: SSLv3 write certificate A
 9919 SSL info: SSLv3 write server done A
 9919 SSL info: SSLv3 flush data
 9919 SSL info: SSLv3 read client certificate A
 9919 LOG: MAIN
 9919   TLS error on connection from customer.direct-adsl.nl (PC) [11.11.11.11]
(SSL_accept): error::lib(0):func(0):reason(0)
 9919 TLS failed to start
 9919 LOG: smtp_connection MAIN
 9919   SMTP connection from customer.direct-adsl.nl (PC) [11.11.11.11] closed
by EOF
 9919 search_tidyup called
 9919 SMTP>>(close on process exit)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-13 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

Thorsten  changed:

   What|Removed |Added

 CC||thorsten.ha...@freenet.ag

--- Comment #5 from Thorsten  ---
Hi,

we are experiencing the same problem. The detail about the 
previous IMAP connection in this bug report
allowed us to develop a workaround. Notice that the changelog
mentions that SSL tickets were disabled in Exim 4.90. 
Conclusion must be that Outlook get confused and terminates
the SSL connection if it has a ticket from IMAP, but on
subsequent SMTP is offered none with an empty session ID.

We disabled SSL sessions[1] on our SSL termination layer and
were able to send mails through Outlook. It remains to 
determine whether Outlook or Exim is the guilty party.

Best regards, 
 Thorsten

[1] Add NO_TICKET to context options and set session id to NULL

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-12 Thread Viktor Dukhovni via Exim-dev 


> On Mar 12, 2018, at 2:03 PM, admin--- via Exim-dev  wrote:
> 
> I was found differences between failure and success on 4.90_1 and 4.89.
> But I'm absolutely puzzled how to copy readable packet description from
> Wireshark to clipboard.

There's an example of how to do this with tshark in:

   https://mta.openssl.org/pipermail/openssl-users/2017-April/005624.html

-- 
Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-12 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #4 from exim@mx.zzux.com ---
I was found differences between failure and success on 4.90_1 and 4.89.
But I'm absolutely puzzled how to copy readable packet description from
Wireshark to clipboard.

Exim 4.90 is missing SessionId in server hello.

First attempt client hello to server, both 4.89 & 4.90:
https://paste.pics/8aacf762bc610c80690e747ab5842d5b

Bad exim4.90 server hello (OE drops connection immediately after it):
https://paste.pics/904ec493df1e26fa57069ac5082861f7

Good exim4.89 server hello:
https://paste.pics/db740b25ba74f7e76c89cd0f5ab02346


Second attempt client hello to 4.90
https://paste.pics/e0b693acc7d13f7f6273fd84b7f00750

Good exim4.90 server hello:
https://paste.pics/ee88288cc7a3d64b788d66fe8dbb1cff

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-11 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #3 from Jeremy Harris  ---
Either side is fine for this.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-11 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #2 from exim@mx.zzux.com ---
The both logs are on 4.90_1.

Where I must to catch traffic with Wireshark - on the Windows side?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2255] TLS/SSL issue after upgading to 4.90

2018-03-11 Thread admin--- via Exim-dev 
https://bugs.exim.org/show_bug.cgi?id=2255

--- Comment #1 from Jeremy Harris  ---
We don't have particularly good insight into what the SSL libraries do
(though I'm concerned that you managed to negotiate such a weak cipher).
Was the working conn you show using 4.89 or 4.90.1 ?

Can you get packet captures on 4.90.1 for both the failing and working
connects, and look for differences at the SSL level using Wireshark?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##