Mailing List Archive

Help debugging a tls smtp session
I'm attempting to write CLIENTID support for Exim.

My current attempt is available at
https://www.aitchison.me.uk/exim/clientid.20230325.patch

I am using the exim test suite. Below is the significant part of
runtest --keep 3752

When I do STARTTLS -> CLIENTID -> NOOP
the CLIENTID gives the correct response code but the next command
fails (it doesn't have to be a NOOP) in a way suggesting that I have
lost synchronization. Sometimes the TLS connection reports unexpected
commands in the input buffer (which I confirm to match what I expect
the script to send next).

I do have PIPECONNECT enabled, so I may well be tangled up in that somehow.

Any suggestions on how to proceed ?

Connecting to 127.0.0.1 port 1225 ... connected
Certificate file =
/home/eximtest/git/Exim/exim/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.examp
le.org.pem
Key file =
/home/eximtest/git/Exim/exim/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.u
nlocked.key
??? 220
<<< 220 myhost.test.ex ESMTP Exim x.yz Sat, 25 Mar 2023 17:48:12 +0000
>>> EHLO tester2a
??? 250-
<<< 250-myhost.test.ex Hello tester2a [127.0.0.1]
??? 250-
<<< 250-SIZE 52428800
??? 250-
<<< 250-8BITMIME
??? 250-STARTTLS
<<< 250-STARTTLS
??? 250 HELP
<<< 250 HELP
>>> STARTTLS
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
Succeeded in starting TLS
>>> EHLO tester2b
??? 250-
<<< 250-myhost.test.ex Hello tester2b [127.0.0.1]
??? 250-
<<< 250-SIZE 52428800
??? 250-
<<< 250-8BITMIME
??? 250-AUTH
<<< 250-AUTH EXTERNAL
??? 250-CLIENTID
<<< 250-CLIENTID
??? 250 HELP
<<< 250 HELP
>>> CLIENTID exim-device client-id-token
??? 250 OK
<<< 250 OK
>>> NOOP
??? 250 OK
Error in the pull function.
Unexpected EOF read

Thanks,

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: Help debugging a tls smtp session [ In reply to ]
On 28/03/2023 13:48, Andrew C Aitchison via Exim-dev wrote:
>
> I'm attempting to write CLIENTID support for Exim.
>
> My current attempt is available at
>   https://www.aitchison.me.uk/exim/clientid.20230325.patch
>
> I am using the exim test suite. Below is the significant part of
>    runtest --keep 3752
>
> When I do STARTTLS -> CLIENTID -> NOOP
> the CLIENTID gives the correct response code but the next command
> fails (it doesn't have to be a NOOP) in a way suggesting that I have
> lost synchronization. Sometimes the TLS connection reports unexpected
> commands in the input buffer (which I confirm to match what I expect
> the script to send next).
>
> I do have PIPECONNECT enabled, so I may well be tangled up in that somehow.

That's not getting involved, here (your exim is not advertising it for the
connection).

> Any suggestions on how to proceed ?
>
> Connecting to 127.0.0.1 port 1225 ... connected

So this is the testsuite "client" output.

...
> ??? 250-CLIENTID
> <<< 250-CLIENTID
> ??? 250 HELP
> <<< 250 HELP
>>>> CLIENTID exim-device client-id-token
> ??? 250 OK
> <<< 250 OK
>>>> NOOP
> ??? 250 OK
> Error in the pull function.
> Unexpected EOF read

The client was expecting some more TLS input, but (probably; it's the most likely
cause for that) the server closed the TCP connection.

Next step: add "-d+all" to the exim daemon line in the test script, and inspect the
resulting "test-sterr-server" file.

--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: Help debugging a tls smtp session [ In reply to ]
On Tue, Mar 28, 2023 at 01:48:25PM +0100, Andrew C Aitchison via Exim-dev wrote:

> When I do STARTTLS -> CLIENTID -> NOOP
> the CLIENTID gives the correct response code but the next command
> fails (it doesn't have to be a NOOP) in a way suggesting that I have
> lost synchronization. Sometimes the TLS connection reports unexpected
> commands in the input buffer (which I confirm to match what I expect
> the script to send next).
>
> I do have PIPECONNECT enabled, so I may well be tangled up in that somehow.

Can you explain in more detail what the test script is doing? Is per
chance pipelining multiple commands with STARTTLS (which then end up
in the cleartext input buffer even post STARTTLS)?

The client script must not transmit any further SMTP commands after
"STARTTLS<CRLF>" until it has read the response and if succesful (2XX)
completed a TLS handshake. Only at that point may further commands be
sent, and they must be sent over the TLS connection, not the raw TCP
connection.

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: Help debugging a tls smtp session [ In reply to ]
Thanks, Jeremy and Victor.

As is often the way, once I sent my plea,
the next search of the code found my problem.

I was setting the status value (done) to something other than "continue".
In fact I should not have touched it at all.

On Wed, 29 Mar 2023, Jeremy Harris via Exim-dev wrote:

> On 28/03/2023 13:48, Andrew C Aitchison via Exim-dev wrote:
>>
>> I'm attempting to write CLIENTID support for Exim.
>>
>> My current attempt is available at
>>   https://www.aitchison.me.uk/exim/clientid.20230325.patch
>>
>> I am using the exim test suite. Below is the significant part of
>>    runtest --keep 3752
>>
>> When I do STARTTLS -> CLIENTID -> NOOP
>> the CLIENTID gives the correct response code but the next command
>> fails (it doesn't have to be a NOOP) in a way suggesting that I have
>> lost synchronization. Sometimes the TLS connection reports unexpected
>> commands in the input buffer (which I confirm to match what I expect
>> the script to send next).

> Next step: add "-d+all" to the exim daemon line in the test script, and
> inspect the resulting "test-sterr-server" file.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##