On (13/12/06 09:56), Peter Chubb wrote: > >>>>> "James" == James Westby <[EMAIL PROTECTED]> writes: > > > James> Unfortunately the traces you provided are not that > James> informative. It would be great to get some more information on > James> the connection. > > > It was: > telnet mx.chubb.wattle.id.au 25 > ehlo croc > starttls > and the server died. It *should* return 220 TLS go ahead. It's dying > *before* the TLS handshake starts.
Ah, OK, I see that now, thanks for the clarification. I haven't had time for a full research, but from a quick look at the code the next big things it does after initializing GnuTLS as a server is printed in the log is initialise GnuTLS (surprise, surprise), specifically it calls gnutls_global_init init_dh The first of these is a GnuTLS function, and it is called by every API client on every setup, so if it was severely broken then we would probably know about it by now (I'm not ruling out it being broken though). The second is an exim gnutls related function that sets up the DH parameters for the session, or reads them from a file. The strace output shows /dev/urandom being read which I believe will be done in the init function (I haven't confirmed yet though) and then exim dying shortly afterwards. I shall try and do some more digging in to the code tomorrow, and try and set up an instance of exim to test this. > > I tried to reproduce the bug (reinstalled 1.4.4-3) and the problem has > stopped occurring. I *hate* bugs like that. Me too. Hopefully it will stay this way. You could see if there is anything in the output of which-pkg-broke exim4 or which-pkg-broke libgnutls13 (which-pkg-broke is in the debian-goodies package). If the server is not critical I would appreciate it if you would keep the buggy version installed and follow up here if the problem reoccurs. > > James> * Do you have anything strange in the setup? Could I have > James> your config if there is nothing private in it so that I can set > James> up test server to beat up? > > The setup is a standard Debian system, with sa_exim and > exim-daemon-heavy, with the parts in > conf.d/auth/30_exim4-config_examples uncommented to allow AUTH PLAIN > and AUTH LOGIN. > > I'd rather the config wasn't kept on a website forever, so I'll put it > up at http://gelato.unsw.edu.au/~peterc/exim4-conf.tar.bz2; let me > know when you've fetched it. Thanks, I've got it. I'll try and use it soon. > > Other info: the failing site is a virtual x86 machine under Xen, but > this shouldn't make any difference. Yes, it shouldn't. People do have entropy problems without special libc6 packages under Xen, but that shouldn't be causing any segfaults. > > The libgnutls13 package that works is 1.4.2-1 > Ok, thanks, I'll see if I can bring myself to read the diff between these two versions. Thanks, James -- James Westby -- GPG Key ID: B577FE13 -- http://jameswestby.net/ seccure key - (3+)k7|M*edCX/.A:n*N!>|&7U.L#9E)Tu)T0>AM - secp256r1/nistp256 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
