Re: [exim] TLS error on connection

Viktor Dukhovni Thu, 27 Aug 2015 10:23:26 -0700

On Thu, Aug 27, 2015 at 08:06:16PM +0300, Evgeniy Berdnikov wrote:

> On Thu, Aug 27, 2015 at 02:44:40PM +0000, Viktor Dukhovni wrote:
> > I just tried:
> > 
> >     $ posttls-finger ringways.co.uk
> >     posttls-finger: Connected to mail.ringways.co.uk[88.211.105.31]:25
> ...
> >     posttls-finger: < 220 TLS go ahead
> >     posttls-finger: SSL_connect error to 
> > mail.ringways.co.uk[88.211.105.31]:25: Connection timed out
> > 
> > Are you using /dev/random, rather than /dev/urandom for entropy?
> 
>  I tried "openssl s_client -connect mail.ringways.co.uk:25 -starttls smtp"
>  with -tls1_1 and -tls1_2 options. The first option leads to very quick
>  connect, tls handhaske and server prompt, the second leads to hangup
>  after ClientHello.
> 
>  I don't know whether the difference between TLS protocol versions is
>  related to usage of kernel random/urandom interfaces by crypto libs.


Thanks, this helps a lot.  Indeed it breaks with TLS 1.2 and not
earlier versions, and that is because of the much larger TLS client
HELLO in TLS 1.2 due to many new ciphers.

Setting a short cipherlist with TLS 1.2 works:

    $ posttls-finger -o "tls_medium_cipherlist=AES128-SHA"-p TLSv1.2 -Ldebug 
ringways.co.uk
    posttls-finger: Destination address lookup failed: Host or domain name not 
found. Name service error for name=TLSv1.2 type=AAAA: Host not found
    bash-4.3$ posttls-finger -o "tls_medium_cipherlist=AES128-SHA" -p TLSv1.2 
-Ldebug ringways.co.uk
    posttls-finger: initializing the client-side TLS engine
    posttls-finger: Connected to mail.ringways.co.uk[88.211.105.31]:25
    posttls-finger: < 220 mail.ringways.co.uk ESMTP Exim 4.84 Thu, 27 Aug 2015 
18:17:09 +0100
    posttls-finger: > EHLO mournblade.imrryr.org
    posttls-finger: < 250-mail.ringways.co.uk Hello mournblade.imrryr.org 
[38.117.134.19]
    posttls-finger: < 250-SIZE 104857600
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250 HELP
    posttls-finger: > STARTTLS
    posttls-finger: < 220 TLS go ahead
    posttls-finger: setting up TLS connection to 
mail.ringways.co.uk[88.211.105.31]:25
    posttls-finger: mail.ringways.co.uk[88.211.105.31]:25: TLS cipher list 
"AES128-SHA:!aNULL"
    posttls-finger: SSL_connect:before/connect initialization
    posttls-finger: SSL_connect:SSLv2/v3 write client hello A
    posttls-finger: SSL_connect:SSLv3 read server hello A
    posttls-finger: mail.ringways.co.uk[88.211.105.31]:25: depth=0 verify=0 
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/[email protected]
    posttls-finger: mail.ringways.co.uk[88.211.105.31]:25: depth=0 verify=1 
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/[email protected]
    posttls-finger: SSL_connect:SSLv3 read server certificate A
    posttls-finger: SSL_connect:SSLv3 read server done A
    posttls-finger: SSL_connect:SSLv3 write client key exchange A
    posttls-finger: SSL_connect:SSLv3 write change cipher spec A
    posttls-finger: SSL_connect:SSLv3 write finished A
    posttls-finger: SSL_connect:SSLv3 flush data
    posttls-finger: SSL_connect:SSLv3 read server session ticket A
    posttls-finger: SSL_connect:SSLv3 read finished A
    posttls-finger: certificate verification failed for 
mail.ringways.co.uk[88.211.105.31]:25: self-signed certificate
    posttls-finger: mail.ringways.co.uk[88.211.105.31]:25: 
subject_CN=ollie2.ringways.co.uk, issuer_CN=ollie2.ringways.co.uk, 
fingerprint=43:3D:A9:99:9C:61:01:4F:18:69:CD:C1:18:AD:EA:8C:E7:75:C8:34, 
pkey_fingerprint=42:E2:03:37:5C:56:B7:07:56:BB:17:BA:A7:A4:91:93:0A:1D:E6:3E
    posttls-finger: Untrusted TLS connection established to 
mail.ringways.co.uk[88.211.105.31]:25: TLSv1.2 with cipher AES128-SHA (128/128 
bits)
    posttls-finger: > EHLO mournblade.imrryr.org
    posttls-finger: < 250-mail.ringways.co.uk Hello mournblade.imrryr.org 
[38.117.134.19]
    posttls-finger: < 250-SIZE 104857600
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-AUTH PLAIN LOGIN
    posttls-finger: < 250 HELP
    posttls-finger: > QUIT
    posttls-finger: < 221 mail.ringways.co.uk closing connection

So the OP appears to have a system that does not tolerate large
client HELLO messages.  There may be some "middle-box" (firewall
or similar) that is doing protocol inspection and choking on large
client HELLOs.

Entropy is then not the issue this time.

-- 
        Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS error on connection

Reply via email to