Bug#348046: exim4-daemon-heavy: TLS delivery attempts fail with: (gnutls_handshake): A TLS packet with unexpected length was received.

Sat Jan 5 10:31:40 UTC 2008

Marc Haber wrote:
> So you only have ssl_on_connect_port=465 in your exim configuration
> and no other port number? And you get a clear text banner when you
> connect to tcp/25 or tcp/587? And you get a banner when you use
> gnutls-cli -p 465 _without_ the -s option?

www:/tmp# grep ssl_on_connect_port /var/lib/exim4/config.autogenerated

- so no ssl_on_connect_port entry in my config...

But I do have the following:

www:/tmp# grep 587 /var/lib/exim4/config.autogenerated
tls_on_connect_ports=465:587

www:/tmp# gnutls-cli -p 465 127.0.0.1
Resolving '127.0.0.1'...
Connecting to '127.0.0.1:465'...
- Successfully sent 0 certificate(s) to server.
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate does NOT match '127.0.0.1'.
 # valid since: Thu Oct 25 21:11:06 EST 2007
 # expires at: Sun Oct 22 22:11:06 EST 2017
 # fingerprint: F6:9D:DB:E5:BC:EA:59:CC:F4:81:0A:D1:56:81:11:1E
 # Subject's DN: CN=mail.affinityvision.com.au
 # Issuer's DN: CN=Affinity Vision Australia Pty Ltd

- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: DHE RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

220 mail.affinityvision.com.au ESMTP Exim 4.63 Sat, 05 Jan 2008 21:23:56 
+1100

>> I understand, but it _seems_ that OpenSSL works whilst GnuTLS
>> doesn't....
>
> yes, and if we don't find out why, it's going to stay this way. I find
> it worth trying to find out where the issue with GnuTLS is, and GnuTLS
> upstream has become very responsive and motivated in the last few
> weeks (btw, I really really appreciate that).

So do I really appreciate it!

> I must admit that I have lost the overview over this bug report. If I
> recall correctly, Simon is running an incredimail evaluation copy
> under wine and can do any debugging on the library side that might be
> possible. If I recall correctly, again, he has found out that
> incredimail negotiates an obsolete version of SSL whose ciphers can
> easily be broken and might be inable to negotiatate a better version.
> Under these circumstances, I remember him writing, it might be better
> not to use encryption at all.

Interesting, but I cam at it a bit later.  I have a client whom I want to 
host DNS and email for, but he wants to use IM and that is the only blocking 
factor.  He isn't interested in using any other email program, but given 
that IM is actually quite popular, it is going to continue to be a problem 
if it isn't sorted.

Kind Regards
AndrewM