[gnutls-devel] GnuTLS | msmtp unable to send mail with gnutls 3.6.5. TLS1.3 issue? (#644)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Dec 7 17:47:50 CET 2018 

New Issue was created.

Issue 644: https://gitlab.com/gnutls/gnutls/issues/644
Author:    Florian Pritz
Assignee:  

I've filed a report against msmtp, but msmtp devs think it's an issue with gnutls. Do you guys have an idea what's wrong here?

Below is a copy of the inital bug I filed with msmtp. In case you want to look at the original, it's here: https://gitlab.marlam.de/marlam/msmtp/issues/21

-----

When trying to send mails to a postfix server with TLS 1.3 support the TLS connection dies after sending the second EHLO.

The only error I see in the msmtp --debug output is this:
```
msmtp: cannot read from TLS connection: the operation timed out
```

I see the problem on my Arch Linux client with msmtp 1.8.0-2 and gnutls 3.6.5-1. With gnutls 3.5.19-2 I do not see the issue. Sadly we don't have any versions in-between to test with. The server is also Arch Linux with postfix 3.3.1-4 and openssl 1.1.1-1.

Using `gnutls-cli --starttls 587 $server` works just fine and I see the reply to the second EHLO, which is missing in the `msmtp --debug` output. If you want to test it yourself, feel free to connect to `mail.server-speed.net` on port 587 with arbitrary credentials. It appears that the issue happens well before the login.

The output I get with `GNUTLS_DEBUG_LEVEL=6 msmtp --debug` is rather long and I don't want to leak any private information. If you cannot reproduce the issue, please tell me what else you want to know. Here's the part at the end:
```
TLS certificate information:
    Owner:
        Common Name: mail.server-speed.net
    Issuer:
        Common Name: Let's Encrypt Authority X3
        Organization: Let's Encrypt
        Country: US
    Validity:
        Activation time: Sat 27 Oct 2018 12:25:08 AM CEST
        Expiration time: Thu 24 Jan 2019 11:25:08 PM CET
    Fingerprints:
        SHA256: 7B:76:B8:0A:FA:E4:AE:00:B6:8F:24:0E:59:3E:11:BB:67:8F:AC:89:F2:65:0E:4B:BB:4D:12:E4:CB:DD:64:FE
        SHA1 (deprecated): BA:83:63:D4:47:65:88:62:1D:5A:5E:73:87:C0:E6:5C:D3:31:AC:D0
gnutls[5]: REC[0x5604f0be1070]: Preparing Packet Application Data(23) with length: 16 and min pad: 0
gnutls[5]: REC[0x5604f0be1070]: Sent Packet[1] Application Data(23) in epoch 2 and length: 38
--> EHLO localhost
gnutls[5]: REC[0x5604f0be1070]: SSL 3.3 Application Data packet received. Epoch 2, length: 250
gnutls[5]: REC[0x5604f0be1070]: Expected Packet Application Data(23)
gnutls[5]: REC[0x5604f0be1070]: Received Packet Application Data(23) with length: 250
gnutls[5]: REC[0x5604f0be1070]: Decrypted Packet[0] Handshake(22) with length: 233
gnutls[3]: ASSERT: buffers.c[get_last_packet]:1171
gnutls[4]: HSK[0x5604f0be1070]: NEW SESSION TICKET (4) was received. Length 229[229], frag offset 0, frag length: 229, sequence: 0
gnutls[3]: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1431
gnutls[4]: HSK[0x5604f0be1070]: parsing session ticket message
gnutls[3]: ASSERT: record.c[_gnutls_recv_in_buffers]:1560
gnutls[3]: ASSERT: record.c[_gnutls_recv_int]:1759
gnutls[3]: ASSERT: buffers.c[_gnutls_io_write_flush]:696
gnutls[5]: REC: Sending Alert[1|0] - Close notify
gnutls[5]: REC[0x5604f0be1070]: Preparing Packet Alert(21) with length: 2 and min pad: 0
gnutls[5]: REC[0x5604f0be1070]: Sent Packet[2] Alert(21) in epoch 2 and length: 24
gnutls[5]: REC[0x5604f0be1070]: Start of epoch cleanup
gnutls[5]: REC[0x5604f0be1070]: End of epoch cleanup
gnutls[5]: REC[0x5604f0be1070]: Epoch #2 freed
msmtp: cannot read from TLS connection: the operation timed out

```

Also here's my msmtp config:
```
defaults
auth plain
tls on
tls_starttls on
tls_certcheck on
tls_trust_file /etc/ssl/certs/ca-certificates.crt

account flo
host mail.server-speed.net
port 587
from bluewind at xinu.at
user mail-flo
passwordeval getpw-single msmtp3

account default : flo
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/644
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181207/2493c88a/attachment-0001.html>

More information about the Gnutls-devel mailing list