[Pkg-gnutls-maint] Help with exim4 #390712, interaction with mobile phones

Marc Haber mh+pkg-gnutls-maint at zugschlus.de
Wed Dec 13 13:41:08 CET 2006 

On Tue, Dec 12, 2006 at 07:23:11PM +0000, James Westby wrote:
> On (10/12/06 19:06), Marc Haber wrote:
> > can I run gnutls-serv in the same way as gnutls-cli, so that I can
> > simply type into the connection? or is echo or http server all I can
> > get?
> 
> It looks that way (I have only used -cli before). As we know that this
> is easily reproducible with any gnutls server then we could hack
> something together that gave this functionality though

Do you want me to file a wishlist request for that functionality?

> It would be interesting to see what effect each of these options has on
> the problem, especially
> 
>   1) Can you force the phone to use TLS1.1 by only specifying that? You
>      might get "A record packet with illegal version was received." if it
>      doesn't support newer than 1.0.

Error in handshake
Error: A record packet with illegal version was received.


> Also does the problem still happen if you force SSL3.0?

no, with SSL3.0, it works:
- Version: SSL 3.0
- Key Exchange: RSA
- Cipher: AES 128 CBC
- MAC: SHA
- Compression: NULL
and no error message of gnutls-serv before the client eventually times
out because no banner was received


>   2) Can you force on compression with --comp DEFLATE LZO? My guess is
>      that you can't.

Error in handshake
Error: Could not negotiate a supported compression method.

>   3) Are any other key exchanges supported? Do they affect the bug?

--macs rmd160 md5 does not give any error message. So I'd say the
problem is SHA-1 MAC when used on a TLS 1.0 connection.

When going to the application again, when I disable SHA-1 in exim, the
phone can connect to the server and works. Unfortunately, the MAC
suite is not configurable in exim and that selection can only be
influenced by source code modification.

> but it would be great if you can continue to help debug the
> problem as you have access to a phone that can trigger it. 

I'll happily do that.

> Even if it is at the phones end then perhaps a
> workaround could be provided in exim to negotiate a different connection
> by default or with an option, depending on whether investigations show
> that would help.

Unfortunately, both exim and gnutls-serv fall back to ARCFOUR as
cipher when I forbid SHA-1 as MAC, thus reducing security more than I
am willing to accept for the exim package, so modifying exim is kind
of out of the question.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Pkg-gnutls-maint mailing list