On Fri, 30 Sep 2022, Jasen Betts via Exim-users wrote:
On 2022-09-30, Viktor Dukhovni via Exim-users <exim-users@exim.org> wrote:
On Fri, Sep 30, 2022 at 01:21:21AM -0000, Jasen Betts via Exim-users wrote:
With the older Exim, GnuTLS appears to consider six cipher suites before
finding a suitable choice (after skipping all the DHE candidates).
I can disable DHE_RSA by saying
tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA
and now it chooses the same suite that 4.94 was choosing
but there is still an error after the suite is chosen.
You could keep debugging GnuTLS, or just use a version of Exim with TLS
support via OpenSSL, which will likely just work. Your call.
Some resource that GnuTLS expects to use is not available when it is
initialised by the problem version of Exim. If not a DHE group,
likely something else related cryptography. To debug, you'd need
to figure out where that error is raised. Lack of help from strace
is not unexpected.
It seems to be ALPN causing the problem.
this was the commit that "broke" it...
commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
Author: Jeremy Harris <jgh146...@wizmail.org>
Date: Tue Jun 22 23:04:59 2021 +0100
TLS: as server, reject connections with ALPN indicating non-smtp use
The problem seems to be "gnutls_ext_raw_parse" returning
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when ALPN is not being used.
(or when no extensions are being used?) this is undocumented
behaviour, but is sematically compatible with the description of that
function.
IIRC you were testing on port 443.
Just out of interest,
what happens if you use a port without a special TLS meaning ?
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
