Mailing List Archive

On Mon, Nov 21, 2022 at 09:41:12PM +0000, Julian Bradfield via Exim-users wrote:

> I should like to know what's happening here:
>
> 2022-11-21 21:10:42 TLS error on connection from r218.notifications.rbs.co.uk [130.248.154.218] (gnutls_handshake): A TLS fatal alert has been received.

OpenSSL would usually log the alert number (and associated text string),
from which one could infer more information about what the remote client
is unhappy about. I'd hope that GnuTLS could also log this (or make the
alert info available to Exim to optionally log).

That said, the most common issues that remote clients are unhappy about
are untrusted certificates and expired certificates. Perhaps you have a
Let's Encrypt certificate chain that includes a cross cert to the now
expired DST Root CA (for Android compatibility). You can configure
certbot et. al. to build a chain that skips the cross cert, expecting
clients to support the ISRG root.

https://www.mail-archive.com/postfix-users@postfix.org/msg94314.html

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Mon, Nov 21, 2022 at 09:41:12PM +0000, Julian Bradfield via Exim-users wrote:

> I should like to know what's happening here:
>
> 2022-11-21 21:10:42 TLS error on connection from r218.notifications.rbs.co.uk [130.248.154.218] (gnutls_handshake): A TLS fatal alert has been received.
>

If the server in question is "london.jcbradfield.org", then another
potential issue is a missing intermediate issuer certificate. Your
certificate chain has only the leaf server certificate without the
required "R3" intermediate issuer certificate. If using certbot, use
"fullchain.pem" not "cert.pem" (or the equivalent for a different
setup).

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 21/11/2022 21:41, Julian Bradfield via Exim-users wrote:
> I should like to know what's happening here:
>
> 2022-11-21 21:10:42 TLS error on connection from r218.notifications.rbs.co.uk [130.248.154.218] (gnutls_handshake): A TLS fatal alert has been received.
>
> However, I can't see how to get any more information. I've tried
> setting
> add_environment = GNUTLS_DEBUG_LEVEL=3
> in the exim4 config file, but it doesn't appear to do anything.
>
> Is there a way to get more information?

The gnutls library helpfully (I infer) reads the environment at
process startup, too early for the config-driven addition of that
variable. Try having the thing firing off the exim process
adding to the environment instead. You'll need to add it
to keep_environment.

I go up to 9 on occasion, but 3 is reasonably detailed.

Alternatively, since you know there's an alert involved, go down
the packet capture route. You'll need to
add_environment = SSLKEYLOGFILE=<SOME_DIRECTORY>/sslkeys
and tell wireshark where to pick them up
(edit/pref/protocols/tls/ Master Secret Log filename)
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 21/11/2022 21:41, Julian Bradfield via Exim-users wrote:
> Is there a way to get more information?

Oh, yes, do ensure you're running with Exim's debug facilities
enabled. Commandline option or ACL modifier.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

• Julian Bradfield via Exim-users [2022-11-21 21:41]:
> I should like to know what's happening here:
>
> 2022-11-21 21:10:42 TLS error on connection from r218.notifications.rbs.co.uk [130.248.154.218] (gnutls_handshake): A TLS fatal alert has been received.

I see similar on a number of systems, and would be interested if you
manage to find a solution.

2022-11-22 09:30:27 TLS error on connection from smtp-outgoing-1803.laposte.net [160.92.124.104] (gnutls_handshake): A TLS fatal alert has been received.
2022-11-22 09:41:06 TLS error on connection from smtp-outgoing-1601.laposte.net [160.92.124.96] (gnutls_handshake): A TLS fatal alert has been received.

There are lots of them, and also from worldline.com and some other from
time to time.

The certificate on this particular host is issued by Buypass and entire chain is sent along.

> However, I can't see how to get any more information. I've tried
> setting
> add_environment = GNUTLS_DEBUG_LEVEL=3
> in the exim4 config file, but it doesn't appear to do anything.
>
> Is there a way to get more information?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Thank you for the various replies!

Viktor wrote:

>> 2022-11-21 21:10:42 TLS error on connection from r218.notifications.rbs.co.uk [130.248.154.218] (gnutls_handshake): A TLS fatal alert has been received.
>
>OpenSSL would usually log the alert number (and associated text string),
>from which one could infer more information about what the remote client
>is unhappy about. I'd hope that GnuTLS could also log this (or make the
>alert info available to Exim to optionally log).

Hopefully if I set it correctly, per Jeremy's reply below, it will.

>That said, the most common issues that remote clients are unhappy about
>are untrusted certificates and expired certificates. Perhaps you have a
>Let's Encrypt certificate chain that includes a cross cert to the now
>expired DST Root CA (for Android compatibility). You can configure
>certbot et. al. to build a chain that skips the cross cert, expecting
>clients to support the ISRG root.

>If the server in question is "london.jcbradfield.org", then another
>potential issue is a missing intermediate issuer certificate. Your
>certificate chain has only the leaf server certificate without the
>required "R3" intermediate issuer certificate. If using certbot, use
>"fullchain.pem" not "cert.pem" (or the equivalent for a different
>setup).

Indeed. That's only been the case recently. For the last 20 years,
I've been presenting a self-signed certificate and had never noticed any
problems. A few days ago I happened to notice my bank getting these
TLS fatal alerts and then *not* falling through to plain text, which
most others do.
So I started experimenting, but hadn't yet got as far as giving the
full chain (largely, I admit, because I don't have certification
internalized, and just follow recipes).

Jeremy wrote:
>The gnutls library helpfully (I infer) reads the environment at
>process startup, too early for the config-driven addition of that
>variable. Try having the thing firing off the exim process
>adding to the environment instead. You'll need to add it
>to keep_environment.

Thanks! Should have thought of that.

>Alternatively, since you know there's an alert involved, go down
>the packet capture route. You'll need to
>add_environment = SSLKEYLOGFILE=<SOME_DIRECTORY>/sslkeys
>and tell wireshark where to pick them up
>(edit/pref/protocols/tls/ Master Secret Log filename)

Ugh. Hopefully not... Presumably that would also have to be done by
setting it before exim start.

>Oh, yes, do ensure you're running with Exim's debug facilities
>enabled. Commandline option or ACL modifier.

Tried that. Debug +tls gave nothing useful.


Kirill wrote:

something in base64 which got saved as such:) (Anybody know a
newsreader which supports following up to multiple article at once?)

Asking I think for any information, as he sees something similar. Will
do.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Wed, Nov 23, 2022 at 06:25:29PM +0000, Julian Bradfield via Exim-users wrote:

> >If the server in question is "london.jcbradfield.org", then another
> >potential issue is a missing intermediate issuer certificate. Your
> >certificate chain has only the leaf server certificate without the
> >required "R3" intermediate issuer certificate. If using certbot, use
> >"fullchain.pem" not "cert.pem" (or the equivalent for a different
> >setup).
>
> Indeed. That's only been the case recently. For the last 20 years,
> I've been presenting a self-signed certificate and had never noticed
> any problems. A few days ago I happened to notice my bank getting
> these TLS fatal alerts and then *not* falling through to plain text,
> which most others do. So I started experimenting, but hadn't yet got
> as far as giving the full chain (largely, I admit, because I don't
> have certification internalized, and just follow recipes).

So, have you tried configuring a complete certificate chain (ideally
without the Android compatibility crutch). Did that make any
difference?

If you disable TLS 1.3, the alerts will be unencrypted in a packet
capture, which you could then decode with "tshark" or wireshark without
needing to resort to TLS key export.

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

• Julian Bradfield via Exim-users [2022-11-23 18:25]:
[...]
> Kirill wrote:
>
> something in base64 which got saved as such:)

I wonder why...

> Asking I think for any information, as he sees something similar. Will
> do.

exactly: https://marc.info/?l=exim-users&m=166919251811778&w=2

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2022-11-23, Kirill Miazine via Exim-users <exim-users@exim.org> wrote:
> • Julian Bradfield via Exim-users [2022-11-23 18:25]:
> [...]
>> Kirill wrote:
>>
>> something in base64 which got saved as such:)
>
> I wonder why...

Because when you save an article in slrn, it saves the entire
article. There doesn't appear to be a "write the decoded body" option,
and there isn't an option to follow up to multiple articles in one
post, so I just saved all the replies to a file and edited that.

>> Asking I think for any information, as he sees something similar. Will
>> do.
>
> exactly: https://marc.info/?l=exim-users&m=166919251811778&w=2

I didn't say I didn't have the original, it just wasn't in
my followup, and slrn also doesn't let you go back to the article
display while composing.

Yes, I could just use Gnus, but the Gnus interface annoys me too
much, and I've been using rn variants for 35 years ...

Maybe I'll extend slrn ...

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2022-11-23, Viktor Dukhovni via Exim-users <exim-users@exim.org> wrote:

> So, have you tried configuring a complete certificate chain (ideally
> without the Android compatibility crutch). Did that make any
> difference?

Well, since doing that I haven't seen any fatal alerts in the logs.
But I also haven't had another attempt from the bank in question yet,
only from the usual spammers.

I wasn't actually asking how to fix the problem, by the way, only
about how to get the alert information, which Jeremy answered.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/