Bug#674990: exim breaks (again?) with TLS packet with unexpected length
Andreas Metzler
ametzler at downhill.at.eu.org
Tue May 29 18:15:47 UTC 2012
On 2012-05-29 Norbert PREINING <preining at jaist.ac.jp> wrote:
> Package: exim4-daemon-light
> Version: 4.77-1+b1
> Severity: serious
> Submitter: Norbert Preining <preining at logic.at>
> Hi all,
> I have searched the bug database and the web for information, and I cannot
> get it to work, exim *always* dies with
> TLS error on connection to xxx.yyy.zzz.www [NN.NN.NN.NN] (gnutls_handshake): A TLS packet with unexpected length was received.
[...]
> When I do
> $ openssl s_client -connect xxx.yyy.zzz.www:587
> CONNECTED(00000003)
> 139642052535976:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
> ---
> no peer certificate available
[...]
> So also this does not help really.
> The remote server is not under my control, but is advertised as
> smtp server in my university.
Hello,
587 uses starttls, you'll need to talk to 465 to give abovementioned
openssl test a chance to succeed.
Afaict the remote side breaks if the connecting side tries to use
TLS1.1/TLS1.2 and/or TLS record random padding. Therefore these
succeed:
ametzler at argenau:~$ openssl s_client -tls1 -connect \
smtp.jaist.ac.jp:465
gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \
smtp.jaist.ac.jp -p 465
I have tried to connect on 587 with STARTTLS but the remote side does
not ever send a reply to EHLO in gnutls-cli. (Need to investigate)
Anyway, if remote's STARTTLS worked exim should be able to
connect if the SSL/settings are modified (for 4.77
gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
experimental) simply set tls_require_ciphers to the abovementioned
priority string.)
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-exim4-maintainers
mailing list