Bug#297174: exim4+libgnutls11: TLS error (gnutls_handshake)

Michael Biebl Michael Biebl <biebl@teco.edu>, 297174@bugs.debian.org
Sun, 27 Feb 2005 19:14:47 +0100 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig54218B7A7C5848CCD3F84D7A
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Package: exim4-daemon-heavy
Version: 4.44-2
Severity: important

Our exim4 installation is configured to advertise SMTP AUTH only after
STARTTLS. The relevant part of exim4.conf.template looks like this:

log_selector = +tls_cipher +tls_peerdn
tls_advertise_hosts = *
tls_certificate = CONFDIR/ssl/server.crt
tls_privatekey = CONFDIR/ssl/server.key

The certificate is signed by a self created and self signed CA.

If I now try to connect/authenticate with a MUA like Thunderbird I get
an error on every second connection attempt. The corresponding log
entries looks like this:
2005-02-27 18:26:42 TLS error on connection from
dialin-212-144-131-181.arcor-ip.net [212.144.131.181]
(gnutls_handshake): A TLS fatal alert has been received.

and Thunderbird displays a error message saying: server has sent an
incorrect or unexpected message. Error Code: -12244.
It doesn't matter if I import the CA certificate or accept the server
certificate.
Other MUAs behave slightly different. E.g. Opera Mail succeeds only on
the first sent message and fails on every subsequent connection attempt,
kmail seems to work properly.

As a workaround I recompiled exim4 and linked it against libgnutls10 and
the errors were gone.

So the question is:
* Is it a misconfiguration of exim4 (unlikely as it works with libgnutl10)?
* Is it a bug in exim4?
* Is it a bug in libgnutls11 or is libgnutls11 just stricter and more
picky during the tls handshake?
* Are the MUAs buggy?

What can I do to solve this problme? Linking against the old gnutls lib
doesn't seem to be a good solution for me.

If you think this is a bug in libgnutls11 feel free to reassign the bug.


Cheers,
Michael

--
------------------------------------------------------------
E-Mail: biebl@teco.edu
WWW: http://www.teco.edu/

TecO (Telecooperation Office) Vincenz-Priessnitz-Str.1
University of Karlsruhe 76131 Karlsruhe, Germany
------------------------------------------------------------

--------------enig54218B7A7C5848CCD3F84D7A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCIg4eh7PER70FhVQRAp3XAJwMbkkwQKG+BhvFomYXc+2QUuzW+QCggck9
Mf/tppmKibGPJg1xefJtFx0=
=vEau
-----END PGP SIGNATURE-----

--------------enig54218B7A7C5848CCD3F84D7A--