Bug#316522: exim4-daemon-light: TLS connections fail with "An error was encountered at the TLS Finished packet calculation."

[Simon Josefsson]

Hi.  Thanks for the information.  The problem is most likely not
exim-related but gnutls-related, so if you have any idea on what the
gnutls version was, that would help.  I could try older versions of
gnutls against TheBat to see if I can get it working, and then try to
find the differences, but it may be too much work.

There is a difference between gnutls and openssl here, in that gnutls
sends the CERTIFICATE_REQUEST message by default, and we should think
more about whether we could change that.  That is something that exim
could ask gnutls to do, though, so this may be a exim change.

/Simon

Alexander Myodov <maa_public at sinn.ru> writes:

> Simon,
>
> I see you managed to run The Bat under Wine and reproduce the issue - 
> that's good, cause I disabled my mail system since that bug report
> already, and trying to reproduce the issue will require a lot of
> efforts to make it running again. Sorry for that.
>
> But as far as I remember the issue, I did established the trust with
> my own self-signed certificate (used on the mail server) in The Bat
> before the issue. And everything worked successfully, until the new
> version of Exim was released. If I reported it by 4.50 version, it is
> most likely that the last working version was something reeeally
> old. I can't already find the exact Debian snapshot used to setup the
> system, but I think the working version was something about 4.33 or
> 4.34.
>
>
> On Пт, 2008-01-04 at 18:20 +0100, Simon Josefsson wrote:
> Hi Alexander!  I'm trying to help with this bug.  Can you still
>> reproduce the problem with TheBat?  With which versions of exim/gnutls?
>> You reported the problem in 2005/2006, so things may have changed...
>>
>> You said earlier versions of exim worked, can you pin-point which
>> version it worked and which it stopped working in?  Can you reproduce
>> that it works?
>>
>> To debug this, it would help if you could run gnutls-serv or openssl
>> s_client on a host, and try to talk to it using TheBat.  Try:
>>
>> $ gnutls-serv --port 465 --x509keyfile KEY.pem --x509certfile 
> CERT.pem --debug
>>
>> Also, if you are able to re-build exim4 with openssl, testing that
>> configuration together with TheBat would also be useful.
>>
>> Can you reproduce this using a recent version of TheBat?  I see that it
>> is possible to download TheBat and use it for free for 30 days, so if
>> you can confirm that this happens with the latest version of TheBat and
>> exim4+gnutls I can download it and try to debug this problem myself.
>>
>> Thanks,
>> /Simon