Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

SOLVED: Exim + (GNU)TLS + Outlook + tls_try_verify_hosts

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


hs at schlittermann

Jun 22, 2009, 6:16 AM

Post #1 of 4 (1022 views)
Permalink
SOLVED: Exim + (GNU)TLS + Outlook + tls_try_verify_hosts
Hello,

(skipping the long story about finding the solution, but thanks to Marc
Haber and his bug report http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478191)

And thanks to Phil Pennock for the the hint, that the client is dropping the
connection (as I suspected, but always it helps, if somebody else has
the same suspiction).

The short story for the records:

Server:

exim 4.x (I'd guess, the version doesn't matter)
+GNU-TLS (I'd guess, the version doesn't matter)
or
+OpenSSL (I'd guess, the version doesn't matter)

Configured to request the client certificate (via `tls_verify_hosts' | `tls_try_verify_hosts').

The connection failed/dropped, logging
GNU-TLS: (gnutls_handshake): A TLS packet with unexpected length was received.
OpenSSL: (SSL_accept): error:00000000:lib(0):func(0):reason(0)

Clients:

MS Outlook Express 6.0 (not sure, if the version matters)

MS OE closed the connection - the error reported to the user was 0x800CCC0F.

Exim 4.69 (probably the version doesn't matter)
+GNU-TLS (not sure, if the version matters, used 1.4.4)

Exim closed the connection and left a log entry
'(gnutls_handshake): Internal error in memory allocation.'


It seems to depend on the size of the file used in
`tls_verify_certificates'. (Not sure if it depends on the plain size or
on the number of certificates or whatever parameter. With an quite old
file (Debian etch, 103 certs, about 152kB) everything works as expected,
with a new one (Debian lenny - 143 certs, about 221kB) the above
mentioned problems arise.

May be someone with some background knowledge about the SSL handshake
could tell us the real limit (number of certs, size of certs, ...?)
It does not seem to be a GNU-TLS issue, since the Outlook client droppes
the connection too. (Or Outlook uses the GNU-TLS libs?)

Thanks to everybody who helped (even if you didn't answer my mails - but
this gave me the save feeling not being tooo stupid ;-)

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -
Attachments: signature.asc (0.19 KB)


exim-users at spodhuis

Jun 22, 2009, 6:37 AM

Post #2 of 4 (977 views)
Permalink
Re: SOLVED: Exim + (GNU)TLS + Outlook + tls_try_verify_hosts [In reply to]
On 2009-06-22 at 15:16 +0200, Heiko Schlittermann wrote:
> It seems to depend on the size of the file used in
> `tls_verify_certificates'. (Not sure if it depends on the plain size or
> on the number of certificates or whatever parameter. With an quite old
> file (Debian etch, 103 certs, about 152kB) everything works as expected,
> with a new one (Debian lenny - 143 certs, about 221kB) the above
> mentioned problems arise.
>
> May be someone with some background knowledge about the SSL handshake
> could tell us the real limit (number of certs, size of certs, ...?)
> It does not seem to be a GNU-TLS issue, since the Outlook client droppes
> the connection too. (Or Outlook uses the GNU-TLS libs?)

(1) Does your new cert use a newer algorithm than MD5 or SHA1? Are you
sure the client supports that, if so?

(2) https://savannah.cern.ch/bugs/?48458
http://rt.openssl.org/Ticket/Display.html?id=1949&user=guest&pass=guest
There's currently some issue when there are a "lot" of CAs
configured and client-side certificate verification is requested.

-Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


hs at schlittermann

Jun 22, 2009, 2:21 PM

Post #3 of 4 (973 views)
Permalink
Re: SOLVED: Exim + (GNU)TLS + Outlook + tls_try_verify_hosts [In reply to]
Hello Phil,

Phil Pennock <exim-users [at] spodhuis> (Mo 22 Jun 2009 15:37:32 CEST):
> On 2009-06-22 at 15:16 +0200, Heiko Schlittermann wrote:
> > It seems to depend on the size of the file used in
> > `tls_verify_certificates'. (Not sure if it depends on the plain size or
> > on the number of certificates or whatever parameter. With an quite old
> > file (Debian etch, 103 certs, about 152kB) everything works as expected,
> > with a new one (Debian lenny - 143 certs, about 221kB) the above
> > mentioned problems arise.
> >
> > May be someone with some background knowledge about the SSL handshake
> > could tell us the real limit (number of certs, size of certs, ...?)
> > It does not seem to be a GNU-TLS issue, since the Outlook client droppes
> > the connection too. (Or Outlook uses the GNU-TLS libs?)
>
> (1) Does your new cert use a newer algorithm than MD5 or SHA1? Are you
> sure the client supports that, if so?

The lists of CA certs used by the server for verification (and thus sent
to the client along with the cert request) only mentions MD5 or SHA1 as
"Signature Algorithm".

It does not seem to depend on any specific certificate. I created to
sets of CA certs used by the server for verification:

- set A: the old list (about 103 certs)
- set B: the delta between the old (103 certs) and the new (143 certs):
40 certs

And I think, if a specific cert causes the problem, the second set of CA
certs should fail. (Of course, nothing is as it seems, so probably there
are dependencies on the phase of moon and other things...)

> (2) https://savannah.cern.ch/bugs/?48458
> http://rt.openssl.org/Ticket/Display.html?id=1949&user=guest&pass=guest
> There's currently some issue when there are a "lot" of CAs
> configured and client-side certificate verification is requested.

They are talking about a smaller number and about some sizes and they
think it's related to OpenSSL. I don't believe that. I'll send them some
notice.

I'll try to reproduce it using "native clients" (openssl/gnu-tls).

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -
Attachments: signature.asc (0.19 KB)


hs at schlittermann

Jun 22, 2009, 3:05 PM

Post #4 of 4 (977 views)
Permalink
Re: SOLVED: Exim + (GNU)TLS + Outlook + tls_try_verify_hosts [In reply to]
Heiko Schlittermann <hs [at] schlittermann> (Mo 22 Jun 2009 23:21:24 CEST):
> Hello Phil,
...
>
> They are talking about a smaller number and about some sizes and they
> think it's related to OpenSSL. I don't believe that. I'll send them some
> notice.
>
> I'll try to reproduce it using "native clients" (openssl/gnu-tls).

To some extend I can reproduce the behaviour w/o Exim. So I'll stop
boring you on this list. If somebody knows somebody who could be
interested in further digging and debugging, please tell me.

--
Heiko
Attachments: signature.asc (0.19 KB)

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.