jetmore / swaks

Swaks - Swiss Army Knife for SMTP
http://jetmore.org/john/code/swaks/
GNU General Public License v2.0
957 stars 87 forks source link

--pipe using tls to exim compiled with gnutls not working #30

Open jetmore opened 3 years ago

jetmore commented 3 years ago

This is an old report (2014) which was just brought back to my attention by hschlittermann. It appears to be specific to Exim compiled with gnutls, which I don't think was ever tested. "The same Exim, but compiled with OpenSSL works."

swaks --tls --pipe 'exim -bh <ip>'

LOG: TLS error on connection from (SERVERNAME) [SERVERIP] (gnutls_handshake): A TLS packet with unexpected length was received.
<-  220 TLS go ahead
*** TLS startup failed (connect(): error:00000000:lib(0):func(0):reason(0))
*** STARTTLS attempted but failed
pkg-config --modversion gnutls  ---> 2.12.20
pkg-config --modversion openssl ---> 1.0.1e
jetmore commented 1 year ago

confirmed locally

openssl:

jetmore@g3:~/Documents/git/swaks/testing/regressions$ ../mta/exim-install/bin/exim -bV | egrep -i '(tls|ssl)'
Support for: crypteq iconv() IPv6 OpenSSL move_frozen_messages DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY SOCKS TCP_Fast_Open
jetmore@g3:~/Documents/git/swaks/testing/regressions$ ../../swaks --tls --to foo --quit mail --pipe '../mta/exim-install/bin/exim -bh 127.0.0.1'
=== Trying pipe to ../mta/exim-install/bin/exim -bh 127.0.0.1...
=== Connected to ../mta/exim-install/bin/exim -bh 127.0.0.1.
[...]
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started with cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
=== TLS client certificate requested and not sent
=== TLS no local certificate set
=== TLS peer DN="/C=US/ST=Indiana/O=Swaks Development (node.example.com, with-SAN)/CN=node.example.com/emailAddress=proj-swaks@jetmore.net"
=== TLS peer certificate failed CA verification, failed host verification (no host string available to verify)

gnutls

jetmore@g3:~/Documents/git/swaks/testing/regressions$ exim4 -bV | egrep -i '(ssl|tls)'
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event OCSP PRDR PROXY SOCKS TCP_Fast_Open
jetmore@g3:~/Documents/git/swaks/testing/regressions$ ../../swaks --tls --to foo --quit mail --pipe 'exim4 -bh 127.0.0.1'
=== Trying pipe to exim4 -bh 127.0.0.1...
=== Connected to exim4 -bh 127.0.0.1.
[...]
 -> STARTTLS
<-  220 TLS go ahead
[hangs forever]
jetmore commented 1 year ago

gnutls

$ ../../swaks --tls --to foo --quit mail --pipe 'exim4 -d -bh 127.0.0.1'
[...]
SMTP>> 220 TLS go ahead
GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_stream_read]:369
GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
GnuTLS<3>: ASSERT: ../../lib/record.c[recv_headers]:1171
GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1302
GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1448
GnuTLS<3>: ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1506
GnuTLS<3>: ASSERT: ../../lib/handshake.c[handshake_server]:3460
GnuTLS<2>: WRITE: -1 returned from 0x1, errno: 88
GnuTLS<3>: ASSERT: ../../lib/buffers.c[errno_to_gerr]:230
<-  220 TLS go ahead
GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:722
GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_send_tlen_int]:574
[hang]

testing with debug over tcp just to compare

$ sudo -u Debian-exim exim4 -d -bd -oX 1025
$ ../../swaks --tls --to foo --quit mail --server 127.0.0.1 -p 1025

 2978 SMTP>> 220 TLS go ahead
 2978 GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
 2978 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:240
 2978 TLS: no SNI presented in handshake.
 2978 GnuTLS<3>: ASSERT: ../../../lib/ext/psk_ke_modes.c[psk_ke_modes_recv_params]:136
 2978 GnuTLS<2>: checking 13.02 (GNUTLS_AES_256_GCM_SHA384) for compatibility
 2978 GnuTLS<3>: ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:240
 2978 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 13.2: GNUTLS_AES_256_GCM_SHA384
 2978 GnuTLS<2>: EXT[0x559526a5c2a0]: server generated X25519 shared key
 2978 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
 2978 GnuTLS<3>: ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:923
 2978 GnuTLS<3>: ASSERT: ../../lib/tls13/session_ticket.c[_gnutls13_send_session_ticket]:284
 2978 GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
 2978 gnutls_handshake was successful
jetmore commented 1 year ago

This is probably not relevant but it took me forever and an incredibly dim memory to find it, so recording it for posterity

commit 56f5d9bd6bb563f4f0eab011ed665da234d93e37
Author: Philip Hazel <ph10@hermes.cam.ac.uk>
Date:   Tue Dec 12 15:47:39 2006 +0000

    Apply John Jetmore's patch to allow tls-on-connect and STARTTLS to be
    tested/used via the -bh/-bhc/-bs options.
jetmore commented 10 months ago

dropping to backlog