Bug#294952: TLS errors
Marc Haber
Marc Haber <mh+debian-packages@zugschlus.de>, 294952@bugs.debian.org
Wed, 16 Feb 2005 21:42:49 +0100
tags #294952 unreproducible
thanks
Hi!
Sorry for taking so long to respond, I was on vacation.
On Sat, Feb 12, 2005 at 05:59:46PM +0100, Michal ??iha?? wrote:
> While sending message to MTA that does support TLS I get these errors in
> log:
>
> TLS error on connection to mail.sourceforge.net [66.35.250.206] (RSA params import): The scanning of a large integer has failed.
> TLS session failure: delivering unencrypted to mail.sourceforge.net [66.35.250.206] (not in hosts_require_tls)
>
> TLS error on connection to relay.muni.cz [147.251.4.35] (RSA params import): The scanning of a large integer has failed.
> TLS session failure: delivering unencrypted to relay.muni.cz [147.251.4.35] (not in hosts_require_tls)
>
> Obviously when there is host for which I require TLS, sending completely
> fails.
>
> On 2005-02-09 these mails went okay, today it causes problems, so there
> might be problem in some dependant library (I have almost every day
> updated unstable).
My test host, running current unstable, does happily deliver via TLS.
I cannot reproduce this:
2005-02-16 21:34:00 1D1Vs0-0001Ol-EY <= mh+debian-packages@zugschlus.de U=mh P=local S=1542 id=20050216203400.GA5342@lefler.int.l21.ma.zugschlus.de
2005-02-16 21:34:02 1D1Vs0-0001Ol-EY -> 294954@bugs.debian.org R=smarthost T=remote_smtp_smarthost H=82018.int0.torres.int.l21.ma.zugschlus.de [192.168.130.1] X=TLS-1.0:RSA_AES_256_CBC_SHA:32
Can you try using gnutls-cli to determine whether you have a generic
gnutls-issue?
Just in case you are not familiar with gnutls-cli:
[6/506]mh@lefler:~$ gnutls-cli -s -p 25 torres
Resolving 'torres'...
Connecting to '192.168.130.1:25'...
- Simple Client Mode:
220 torres.int.l21.ma.zugschlus.de ESMTP Exim 4.44 Wed, 16 Feb 2005
21:40:15 +0100
EHLO lefler.int.l21.ma.zugschlus.de
250-torres.int.l21.ma.zugschlus.de Hello
lefler.int.l21.ma.zugschlus.de [192.168.130.38]
250-SIZE 20971520
250-PIPELINING
250-STARTTLS
250 HELP
starttls
220 TLS go ahead
<Ctrl-D here>
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
# The hostname in the certificate does NOT match 'torres'.
# valid since: Wed Nov 24 11:59:00 CET 2004
# expires at: Sat Apr 10 12:59:00 CEST 2032
# serial number: 00
# fingerprint: b8 c0 01 4c 2d eb 4c 13 0b 28 45 e9 65 09 34 84
# version: #3
# public key algorithm: RSA
# Modulus: 1024 bits
# Subject's DN: C=DE,L=Mannheim,O=Marc Haber,CN=torres.l21.ma.zugschlus.de (exim4 E-Mail System),EMAIL=mh\+torres-l21-ma-zugschlus-de-exim-tls-cert@zugschlus.de
# Issuer's DN: C=DE,L=Mannheim,O=Marc Haber,CN=torres.l21.ma.zugschlus.de (exim4 E-Mail System),EMAIL=mh\+torres-l21-ma-zugschlus-de-exim-tls-cert@zugschlus.de
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Ephemeral DH using prime of 768 bits, secret key of 759 bits, and peer's public key is 764 bits.
- Version: TLS 1.0
- Key Exchange: DHE RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
ehlo lefler.int.l21.ma.zugschlus.de
250-torres.int.l21.ma.zugschlus.de Hello
lefler.int.l21.ma.zugschlus.de [192.168.130.38]
250-SIZE 20971520
250-PIPELINING
250 HELP
quit
221 torres.int.l21.ma.zugschlus.de closing connection
- Peer has closed the GNUTLS connection
[7/507]mh@lefler:~$
This bug is currently holding me back from asking the release team to
hint exim 4.44 into sarge. I would appreciate a swift answer.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835