I''ve just noticed that for at least the last 4 days my logs show errors like 2008-04-24 09:48:46 TLS error on connection from upstrm185.psg-ucsf.org (iron.psg.net) [38.99.193.74] (gnutls_handshake): A TLS packet with unexpected length was received. This is on my machine receiving a connection from another machine I also control. Both are running exim4-daemon-heavy 4.69-2+b1. Right now, $ cat /proc/sys/kernel/random/entropy_avail 160 on the sender machine and 3598 here. I guess the former is quite low. I see there are a bunch of bugs about this kind of problem, though none I''ve looked at involve exim talking to exim. Does this error imply that the corresponding message transmissions were not encrypted? That they didn''t take place at all? Second, is there anything I can or should do either to correct this, add on to some bug, or help diagnose it? Thanks. Ross
On Tue, Apr 29, 2008 at 10:36:24AM -0700, Ross Boylan wrote:> I''ve just noticed that for at least the last 4 days my logs show errors > like > 2008-04-24 09:48:46 TLS error on connection from upstrm185.psg-ucsf.org > (iron.psg.net) [38.99.193.74] (gnutls_handshake): A TLS packet with > unexpected length was received.ca-certificates installed and all CAs set to trusted? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
On Tue, 2008-04-29 at 22:29 +0200, Marc Haber wrote:> On Tue, Apr 29, 2008 at 10:36:24AM -0700, Ross Boylan wrote: > > I''ve just noticed that for at least the last 4 days my logs show errors > > like > > 2008-04-24 09:48:46 TLS error on connection from upstrm185.psg-ucsf.org > > (iron.psg.net) [38.99.193.74] (gnutls_handshake): A TLS packet with > > unexpected length was received. > > ca-certificates installedYes> and all CAs set to trusted?I don''t know where or how that''s set. I''m not sure it matters, since the certificates are self-signed. Ross
On Tue, Apr 29, 2008 at 01:35:08PM -0700, Ross Boylan wrote:> On Tue, 2008-04-29 at 22:29 +0200, Marc Haber wrote: > > On Tue, Apr 29, 2008 at 10:36:24AM -0700, Ross Boylan wrote: > > > I''ve just noticed that for at least the last 4 days my logs show errors > > > like > > > 2008-04-24 09:48:46 TLS error on connection from upstrm185.psg-ucsf.org > > > (iron.psg.net) [38.99.193.74] (gnutls_handshake): A TLS packet with > > > unexpected length was received. > > > > ca-certificates installed > Yes > > and all CAs set to trusted? > I don''t know where or how that''s set.dpkg-reconfigure ca-certificates. If too many ca''s are selected, the handshake gets too large and is aborted. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 Bitte beachten Sie, da? dem [m.E. grundgesetzwidrigen] Gesetz zur Vorratsdatenspeicherung zufolge, seit dem 1. Januar 2008 jeglicher elektronische Kontakt (E-Mail, Telefongespr?che, SMS, Internet- Telefonie, Mobilfunk, Fax) mit mir oder anderen Nutzern verdachts- unabh?ngig f?r den automatisierten geheimen Zugriff durch Strafver- folgungs- u. Polizeivollzugsbeh?rden, die Bundesanstalt f?r Finanz- dienstleistungsaufsicht, Zollkriminal- und Zollfahndungs?mter,die Zollverwaltung zur Schwarzarbeitsbek?mpfung, Notrufabfragestellen, Verfassungsschutzbeh?rden, den Milit?rischen Abschirmdienst, Bundes- nachrichtendienst sowie 52 Staaten wie beispielsweise Aserbeidschan oder die USA sechs Monate lang gespeichert wird, einschlie?lich der Kommunikation mit Berufsgeheimnistr?gern wie ?rzten, Journalisten und Anw?lten. Mehr Infos zur totalen Protokollierung Ihrer Kommunikations- daten auf www.vorratsdatenspeicherung.de. (leicht ver?ndert ?bernommen kopiert von www.lawblog.de)
On Tue, 2008-04-29 at 23:05 +0200, Marc Haber wrote:> On Tue, Apr 29, 2008 at 01:35:08PM -0700, Ross Boylan wrote: > > On Tue, 2008-04-29 at 22:29 +0200, Marc Haber wrote: > > > On Tue, Apr 29, 2008 at 10:36:24AM -0700, Ross Boylan wrote: > > > > I''ve just noticed that for at least the last 4 days my logs show errors > > > > like > > > > 2008-04-24 09:48:46 TLS error on connection from upstrm185.psg-ucsf.org > > > > (iron.psg.net) [38.99.193.74] (gnutls_handshake): A TLS packet with > > > > unexpected length was received. > > > > > > ca-certificates installed > > Yes > > > and all CAs set to trusted? > > I don''t know where or how that''s set. > > dpkg-reconfigure ca-certificates. > > If too many ca''s are selected, the handshake gets too large and is > aborted. > > Greetings > Marc >Which end of the connection do I need to reconfigure? Ross
On Tue, Apr 29, 2008 at 02:14:49PM -0700, Ross Boylan wrote:> Which end of the connection do I need to reconfigure?The server. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
On Tue, 2008-04-29 at 23:05 +0200, Marc Haber wrote:> On Tue, Apr 29, 2008 at 01:35:08PM -0700, Ross Boylan wrote: > > On Tue, 2008-04-29 at 22:29 +0200, Marc Haber wrote: > > > On Tue, Apr 29, 2008 at 10:36:24AM -0700, Ross Boylan wrote: > > > > I''ve just noticed that for at least the last 4 days my logs show errors > > > > like > > > > 2008-04-24 09:48:46 TLS error on connection from upstrm185.psg-ucsf.org > > > > (iron.psg.net) [38.99.193.74] (gnutls_handshake): A TLS packet with > > > > unexpected length was received. > > > > > > ca-certificates installed > > Yesand it was updated on 2008-04-24. The TLS errors seem to begin coincident with the ca-certificates upgrade.> > > and all CAs set to trusted? > > I don''t know where or how that''s set. > > dpkg-reconfigure ca-certificates. > > If too many ca''s are selected, the handshake gets too large and is > aborted. >I did have all certificates set to trusted; I made perhaps 1/3 untrusted, and that seems to have solved the problem. Thanks. It looks as if the earlier TLS failures did not block message receipt, but they did mean the messages were sent unencrypted. Does any of this indicate any defaults that might be good to change? Ross
On Wed, Apr 30, 2008 at 01:33:56PM -0700, Ross Boylan wrote:> Does any of this indicate any defaults that might be good to change?We could patch exim to set a higher maximum handshake size, but since Simon has already indicate that he will backport the corresponding GnuTLS change to the version currently in unstable, I decided to live with the issue for the time being and to wait for the GnuTLS fix. Again, Simon has been very helpful in tracking down and fixing the issue. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
* Marc Haber:> dpkg-reconfigure ca-certificates. > > If too many ca''s are selected, the handshake gets too large and is > aborted.Huh? That''s a bug. Only the certificates in the chains should be sent.
On Thu, May 01, 2008 at 12:14:14PM +0200, Florian Weimer wrote:> * Marc Haber: > > > dpkg-reconfigure ca-certificates. > > > > If too many ca''s are selected, the handshake gets too large and is > > aborted. > > Huh? That''s a bug. Only the certificates in the chains should be sent.
Ross Boylan wrote:> It looks as if the earlier TLS failures did not block message receipt, > but they did mean the messages were sent unencrypted.Which I would think is not a big deal since emails tend to travel plaintext all the way or a great part of it. In my opinion the only practical benefit of encryption is to avoid plaintext passwords. Regards, Jeroen
On Thu, 2008-05-01 at 16:36 -0700, Jeroen van Aart wrote:> Ross Boylan wrote: > > It looks as if the earlier TLS failures did not block message receipt, > > but they did mean the messages were sent unencrypted. > > Which I would think is not a big deal since emails tend to travel > plaintext all the way or a great part of it. In my opinion the only > practical benefit of encryption is to avoid plaintext passwords. > > Regards, > JeroenIn this case some of the mail travelled only within a secure network before taking the last hop and could contain confidential information. So the encryption was (is) essential. Ross
* Marc Haber:>> Huh? That''s a bug. Only the certificates in the chains should be sent. > > From my understanding, the server needs to indicate which CAs it > trusts to allow the client to select the appropriate certificate.No CA is trusted in that sense: You don''t grant permission to rely solely because someone has got a certificate from one of those CAs.
Ross Boylan wrote:> In this case some of the mail travelled only within a secure network > before taking the last hop and could contain confidential information. > So the encryption was (is) essential.I understand that. The thing is, if you have to exchange confidential information and you go through the trouble of making it secure, why not add some additional effort and exchange such information in a different way. Email by its very nature can never be considered secure. Try an encrypted filesystem on a USB stick handed over in person, or by certified mail. Distribute the key seperately. I would think that the confidentiality you speak of allows the extra effort to keep it that way. If not then I guess it''s more a "sorta confidential", or "keeping up the appearance of confidentiality but isn''t really, as long as "they" are happy". :-) Best regards, Jeroen
Florian Weimer wrote:> No CA is trusted in that sense: You don''t grant permission to rely > solely because someone has got a certificate from one of those CAs.Actually I heard some CAs have not got the best track record with regards to "trusted" and spamming. But I would need more information in order to form a definite opinion. Thanks, Jeroen