On 2012-05-29 Norbert PREINING <prein...@jaist.ac.jp> wrote: > Package: exim4-daemon-light > Version: 4.77-1+b1 > Severity: serious > Submitter: Norbert Preining <prein...@logic.at>
> Hi all, > I have searched the bug database and the web for information, and I cannot > get it to work, exim *always* dies with > TLS error on connection to xxx.yyy.zzz.www [NN.NN.NN.NN] (gnutls_handshake): > A TLS packet with unexpected length was received. [...] > When I do > $ openssl s_client -connect xxx.yyy.zzz.www:587 > CONNECTED(00000003) > 139642052535976:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol:s23_clnt.c:766: > --- > no peer certificate available [...] > So also this does not help really. > The remote server is not under my control, but is advertised as > smtp server in my university. Hello, 587 uses starttls, you'll need to talk to 465 to give abovementioned openssl test a chance to succeed. Afaict the remote side breaks if the connecting side tries to use TLS1.1/TLS1.2 and/or TLS record random padding. Therefore these succeed: ametzler@argenau:~$ openssl s_client -tls1 -connect \ smtp.jaist.ac.jp:465 gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \ smtp.jaist.ac.jp -p 465 I have tried to connect on 587 with STARTTLS but the remote side does not ever send a reply to EHLO in gnutls-cli. (Need to investigate) Anyway, if remote's STARTTLS worked exim should be able to connect if the SSL/settings are modified (for 4.77 gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in experimental) simply set tls_require_ciphers to the abovementioned priority string.) cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
