Bug#674990: exim breaks (again?) with TLS packet with unexpected length
Andreas Metzler
ametzler at downhill.at.eu.org
Wed May 30 17:37:09 UTC 2012
On 2012-05-30 Norbert Preining <preining at logic.at> wrote:
> On Di, 29 Mai 2012, Andreas Metzler wrote:
[...]
> > gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \
> > smtp.jaist.ac.jp -p 465
[...]
> The only hickup was that at then end
> > connect if the SSL/settings are modified (for 4.77
> > gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
> > experimental) simply set tls_require_ciphers to the abovementioned
> > priority string.)
> Now I tried to convince exim to do the same, but without success.
> According to your remarks I set the foillowing variables in
> /etc/exim4/conf.d/main/000_localmacros
> DCsmarthost=smtp.jaist.ac.jp::465
> gnutls_compat_mode=true
> gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2
Two things:
* gnutls_require_protocols does not accept a GnuTLS string, it is a
different syntax. "TLS1.0:SSL3
* The respective setting needs to be on the transport. (The
corresponding main configuration settings apply when exim is
accepting mail on the SMTP port.)
http://www.exim.org/exim-html-current/doc/html/spec_html/ch39.html#SECTreqciphgnu
[...]
> -----------------------------
> One more thing: I want to complain to the tech staff here: can you
> tell me what else, besides the fact that TLS1.1 and TLS1.2 are not
> supported, I can tell them?
[...]
Nothing specific. I wozuld just hit them with the fact that
openssl s_client -connect smtp.jaist.ac.jp:465
fails. This should give more incentive than bringing in GnuTLS, which
is far less used. There are broken servers around (see e.g.
<http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5993>).
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-exim4-maintainers
mailing list