Bug#348046: TLS error occurs on Sarge too

Ronny Adsetts ronny.adsetts at amazinginternet.com
Mon Oct 16 09:32:26 UTC 2006 

Hi.

This error is occurring with 4.50-8sarge2 on Sarge too. Judging by my munin graphs on both sending and receiving side, there's no entropy on the sending side. I noticed this error yesterday when there was testing on a client's site that resulted in a couple of hundred emails being sent to us in rapid succession. The first few were sent on a TLS connection, the remainder had this logged on the sending side:

radsetts at monolith:~$ grep 1GZ8x3-0000Ix-Iv /var/log/exim4/mainlog.1
2006-10-15 17:35:01 1GZ8x3-0000Ix-Iv <= secretary at chelseaartsclub.com H=mainoffice.theclub.chelseaartsclub.com (mainoffice) [172.17.0.189] P=esmtp S=612 id=9004539.1160930103968.JavaMail.prestonm at mail.theclub.chelseaartsclub.com
2006-10-15 17:42:36 1GZ8x3-0000Ix-Iv TLS error on connection to mail.amazing-internet.net [172.16.1.20] (gnutls_handshake): A record packet with illegal version was received.
2006-10-15 17:42:36 1GZ8x3-0000Ix-Iv TLS session failure: delivering unencrypted to mail.amazing-internet.net [172.16.1.20] (not in hosts_require_tls)
2006-10-15 17:42:39 1GZ8x3-0000Ix-Iv => devnull at amazing-internet.com R=dnslookup T=remote_smtp H=mail.amazing-internet.net [172.16.1.20]
2006-10-15 17:42:39 1GZ8x3-0000Ix-Iv Completed

This on the receiving side:

2006-10-15 17:42:39 1GZ94O-0003t2-T3 <= secretary at chelseaartsclub.com H=monolith.theclub.chelseaartsclub.com [172.17.0.16] P=esmtp S=822 id=9004539.1160930103968.JavaMail.prestonm at mail.theclub.chelseaartsclub.com
2006-10-15 17:42:39 1GZ94O-0003t2-T3 => /dev/null <devnull at amazing-internet.com> R=ldap_aliases T=**bypassed**
2006-10-15 17:42:39 1GZ94O-0003t2-T3 Completed

Plus lots of these logged on the receiving side:

2006-10-15 17:39:59 TLS error on connection from monolith.theclub.chelseaartsclub.com [172.17.0.16] (gnutls_handshake): timed out

So it looks like entropy again is the problem.

A quick google brings up a thread [1] that suggest use of /dev/urandom would not be a big deal is some cases. Not sure whether that it feasible from within exim though and I suspect not.

[1] http://www.mail-archive.com/help-gnutls@gnu.org/msg00323.html

Is the problem with how greedy gnutls is for random data or in how exim uses gnutls?

Ronny
-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20061016/341bf24c/signature.pgp

More information about the Pkg-exim4-maintainers mailing list