Re: exim SIGSEGV on TLS connections on latest amd64 snapshot

Peter Nicolai Mathias Hansteen Mon, 19 Aug 2024 03:05:03 -0700


> On 19 Aug 2024, at 11:53, Renaud Allard <ren...@allard.it> wrote:
> 
> Is 134.209.237.226 the IP you tested your "s_client" from? Because I can't 
> see any "error handling TLS incoming connection" from that IP. Besides, the 
> SSL connection worked in your former mail.
>


No, the digitalocean address is something else.

> Also, do you have any custom vm.malloc_conf settings?


not set:

[Mon Aug 19 12:02:13] peter@skapet:~/website$ sysctl -a | grep vm.malloc
vm.malloc_conf=

With both the stock package and the locally built downgrade I get the same 
result from the s_client command:

[Mon Aug 19 11:56:45] peter@portal:~$ openssl s_client -starttls smtp -connect 
skapet.bsdly.net:25
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E5
verify return:1
depth=0 CN = bsdly.net
verify return:1
---
Certificate chain
 0 s:/CN=bsdly.net
   i:/C=US/O=Let's Encrypt/CN=E5
 1 s:/C=US/O=Let's Encrypt/CN=E5
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEsTCCBDagAwIBAgISAzKboy1DprBUxQN2J3Dtt0ShMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNDA4MDQxMDEzNDNaFw0yNDExMDIxMDEzNDJaMBQxEjAQBgNVBAMTCWJz
ZGx5Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABKyZlBG2mdYrPbDla0bbF99D
lxK9tDo9CDuEPJpAPn0nhvZwIiXY7aHKPf2RU6nt3heHybsqzu0AitgmjYnbQfA/
f4HfRSk1H/xcjEpBndMJW45qs9X54V0lU3gv7zMVIKOCAyswggMnMA4GA1UdDwEB
/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQU5xvFKZJ7Vcds1ph7vibnrGabeOkwHwYDVR0jBBgwFoAU
nytfzzwhT50Et+0rLMTGcIvS1w0wVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzAB
hhVodHRwOi8vZTUuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5p
LmxlbmNyLm9yZy8wggExBgNVHREEggEoMIIBJIILKi5ic2RseS5jb22CCiouYnNk
bHkuZXWCCyouYnNkbHkubmV0ggoqLmJzZGx5Lm5vggsqLmJzZGx5Lm9yZ4IKKi5i
c2RseS5zZYIMKi5laHRyaWIuY29tggsqLmVodHJpYi5ub4IMKi5laHRyaWIub3Jn
ggoqLmxmamEub3Jngg0qLm54ZG9tYWluLm5vgg0qLnhlbm9maWwub3Jngglic2Rs
eS5jb22CCGJzZGx5LmV1gglic2RseS5uZXSCCGJzZGx5Lm5vgglic2RseS5vcmeC
CGJzZGx5LnNlggplaHRyaWIuY29tggllaHRyaWIubm+CCmVodHJpYi5vcmeCCGxm
amEub3JnggtueGRvbWFpbi5ub4ILeGVub2ZpbC5vcmcwEwYDVR0gBAwwCjAIBgZn
gQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgA/F0tP1yJHWJQdZRyEvg0S
7ZA3fx+FauvBvyiF7PhkbgAAAZEdFwRKAAAEAwBHMEUCIQCGFx32mNLdQXwXGsvH
UocQ1dzQPbHxrahWPYlLghsOCgIgW2m0mn/POq+2/5bPaIEH02p+6VP1p3nw5o71
ySwGF58AdwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAZEdFwRH
AAAEAwBIMEYCIQDWM8JOuTkF9bI5vpJXguI+HuAwkDkzRHTxFffUOl6W2AIhALtS
wHG8M+M1k2HTwTJEReOsSy3Jkh0UPCliWW8bJy4OMAoGCCqGSM49BAMDA2kAMGYC
MQDlOEJjbYcJhrHASUoq/xSTQ2vOBtnC4Oa/co/4RRFV0JOrMi0x3d8Yf1BnyRBu
gUkCMQDpAF/26Mvlmf6IxD5St1fcJtev8vXSQ8JAej3DBEky8TwekAhlO3KDb5fX
pkTeRGQ=
-----END CERTIFICATE-----
subject=/CN=bsdly.net
issuer=/C=US/O=Let's Encrypt/CN=E5
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 2971 bytes and written 401 bytes
---
New, TLSv1/SSLv3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1724061407
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
250 HELP
6939630579808:error:1404C42E:SSL routines:ST_OK:tlsv1 alert protocol 
version:/usr/src/lib/libssl/tls13_lib.c:192:
[Mon Aug 19 11:57:34] peter@portal:~$ openssl s_client -starttls smtp -connect 
skapet.bsdly.net:25
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E5
verify return:1
depth=0 CN = bsdly.net
verify return:1
---
Certificate chain
 0 s:/CN=bsdly.net
   i:/C=US/O=Let's Encrypt/CN=E5
 1 s:/C=US/O=Let's Encrypt/CN=E5
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEsTCCBDagAwIBAgISAzKboy1DprBUxQN2J3Dtt0ShMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNDA4MDQxMDEzNDNaFw0yNDExMDIxMDEzNDJaMBQxEjAQBgNVBAMTCWJz
ZGx5Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABKyZlBG2mdYrPbDla0bbF99D
lxK9tDo9CDuEPJpAPn0nhvZwIiXY7aHKPf2RU6nt3heHybsqzu0AitgmjYnbQfA/
f4HfRSk1H/xcjEpBndMJW45qs9X54V0lU3gv7zMVIKOCAyswggMnMA4GA1UdDwEB
/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQU5xvFKZJ7Vcds1ph7vibnrGabeOkwHwYDVR0jBBgwFoAU
nytfzzwhT50Et+0rLMTGcIvS1w0wVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzAB
hhVodHRwOi8vZTUuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5p
LmxlbmNyLm9yZy8wggExBgNVHREEggEoMIIBJIILKi5ic2RseS5jb22CCiouYnNk
bHkuZXWCCyouYnNkbHkubmV0ggoqLmJzZGx5Lm5vggsqLmJzZGx5Lm9yZ4IKKi5i
c2RseS5zZYIMKi5laHRyaWIuY29tggsqLmVodHJpYi5ub4IMKi5laHRyaWIub3Jn
ggoqLmxmamEub3Jngg0qLm54ZG9tYWluLm5vgg0qLnhlbm9maWwub3Jngglic2Rs
eS5jb22CCGJzZGx5LmV1gglic2RseS5uZXSCCGJzZGx5Lm5vgglic2RseS5vcmeC
CGJzZGx5LnNlggplaHRyaWIuY29tggllaHRyaWIubm+CCmVodHJpYi5vcmeCCGxm
amEub3JnggtueGRvbWFpbi5ub4ILeGVub2ZpbC5vcmcwEwYDVR0gBAwwCjAIBgZn
gQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgA/F0tP1yJHWJQdZRyEvg0S
7ZA3fx+FauvBvyiF7PhkbgAAAZEdFwRKAAAEAwBHMEUCIQCGFx32mNLdQXwXGsvH
UocQ1dzQPbHxrahWPYlLghsOCgIgW2m0mn/POq+2/5bPaIEH02p+6VP1p3nw5o71
ySwGF58AdwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAZEdFwRH
AAAEAwBIMEYCIQDWM8JOuTkF9bI5vpJXguI+HuAwkDkzRHTxFffUOl6W2AIhALtS
wHG8M+M1k2HTwTJEReOsSy3Jkh0UPCliWW8bJy4OMAoGCCqGSM49BAMDA2kAMGYC
MQDlOEJjbYcJhrHASUoq/xSTQ2vOBtnC4Oa/co/4RRFV0JOrMi0x3d8Yf1BnyRBu
gUkCMQDpAF/26Mvlmf6IxD5St1fcJtev8vXSQ8JAej3DBEky8TwekAhlO3KDb5fX
pkTeRGQ=
-----END CERTIFICATE-----
subject=/CN=bsdly.net
issuer=/C=US/O=Let's Encrypt/CN=E5
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3007 bytes and written 401 bytes
---
New, TLSv1/SSLv3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1724061461
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
250 HELP

but the stock package (as in from pkg_add -vurm right now) gets med the SIGSEVs 
again:

2024-08-19 11:57:34 exim 4.98 daemon started: pid=92389, -q30m, listening for 
SMTP on [2a03:94e0:182c::1]:{25,587} [185.181.61.63]:{25,587} 
[127.0.0.1]:{25,587} [::1]:25 ... and for SMTPS on [2a03:94e0:182c::1]:465 
[185.181.61.63]:465 [127.0.0.1]:465 ...
2024-08-19 11:57:34 Start queue run: pid=73451
2024-08-19 11:57:34 1sec8H-00000000P17-2SB8 failed to open DB file 
/var/spool/exim/db/wait-remote_smtp: File exists
2024-08-19 11:57:34 1sec8H-00000000P17-2SB8 == 
dh_iws...@vps59238.dreamhostps.com R=dnslookup T=remote_smtp defer (-54): retry 
time not reached for any host for 'vps59238.dreamhostps.com'
2024-08-19 11:57:34 End queue run: pid=73451
2024-08-19 11:58:10 1sfz9O-000000003Kk-0O1O SIGSEGV (fault address: 
0xffffffff85556f0f)
2024-08-19 11:58:10 1sfz9O-000000003Kk-0O1O SIGSEGV (maybe attempt to write to 
immutable memory)
2024-08-19 11:58:10 1sfz9O-000000003Kk-0O1O SIGSEGV (12818 handling TLS 
incoming connection from mail.openbsd.org [199.185.178.25]
)
2024-08-19 11:58:10 1sfz9O-000000003Kk-0O1O backtrace
2024-08-19 11:58:10 1sfz9O-000000003Kk-0O1O ---
2024-08-19 11:58:10 1sfz9O-000000003Kk-0O1O     0xf75e2696c98 <stackdump+0x38> 
at /usr/local/bin/exim
2024-08-19 11:58:10 1sfz9O-000000003Kk-0O1O ---
2024-08-19 11:59:05 Warning: purging the environment.
 Suggested action: use keep_environment.
2024-08-19 11:59:05 1sfzAH-00000000CDM-08cQ <= r...@skapet.bsdly.net U=root 
P=local S=702
2024-08-19 11:59:05 1sfzAH-00000000CDM-08cQ => peter <pe...@bsdly.net> 
R=localuser T=local_delivery
2024-08-19 11:59:05 1sfzAH-00000000CDM-08cQ Completed
2024-08-19 12:00:39 1sfzBm-00000000Fjn-3N0r SIGSEGV (fault address: 
0xffffffffa9b73d8d)
2024-08-19 12:00:39 1sfzBm-00000000Fjn-3N0r SIGSEGV (maybe attempt to write to 
immutable memory)
2024-08-19 12:00:39 1sfzBm-00000000Fjn-3N0r SIGSEGV (60499 handling TLS 
incoming connection from condenast-b.sailthru.com [192.64.236.59]
)
2024-08-19 12:00:39 1sfzBm-00000000Fjn-3N0r backtrace
2024-08-19 12:00:39 1sfzBm-00000000Fjn-3N0r ---
2024-08-19 12:00:39 1sfzBm-00000000Fjn-3N0r     0xf75e2696c98 <stackdump+0x38> 
at /usr/local/bin/exim
2024-08-19 12:00:39 1sfzBm-00000000Fjn-3N0r ---
2024-08-19 12:01:02 Warning: purging the environment.
 Suggested action: use keep_environment.

So quite odd, the whole thing.

All the best,
Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: exim SIGSEGV on TLS connections on latest amd64 snapshot

Reply via email to