<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<div></div>
<p dir="auto">I've filed a report against msmtp, but msmtp devs think it's an issue with gnutls. Do you guys have an idea what's wrong here?</p>
<p dir="auto">Below is a copy of the inital bug I filed with msmtp. In case you want to look at the original, it's here: <a href="https://gitlab.marlam.de/marlam/msmtp/issues/21" rel="nofollow noreferrer noopener" target="_blank">https://gitlab.marlam.de/marlam/msmtp/issues/21</a></p>
<hr>
<p dir="auto">When trying to send mails to a postfix server with TLS 1.3 support the TLS connection dies after sending the second EHLO.</p>
<p dir="auto">The only error I see in the msmtp --debug output is this:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">msmtp: cannot read from TLS connection: the operation timed out</span></code></pre>
<p dir="auto">I see the problem on my Arch Linux client with msmtp 1.8.0-2 and gnutls 3.6.5-1. With gnutls 3.5.19-2 I do not see the issue. Sadly we don't have any versions in-between to test with. The server is also Arch Linux with postfix 3.3.1-4 and openssl 1.1.1-1.</p>
<p dir="auto">Using <code>gnutls-cli --starttls 587 $server</code> works just fine and I see the reply to the second EHLO, which is missing in the <code>msmtp --debug</code> output. If you want to test it yourself, feel free to connect to <code>mail.server-speed.net</code> on port 587 with arbitrary credentials. It appears that the issue happens well before the login.</p>
<p dir="auto">The output I get with <code>GNUTLS_DEBUG_LEVEL=6 msmtp --debug</code> is rather long and I don't want to leak any private information. If you cannot reproduce the issue, please tell me what else you want to know. Here's the part at the end:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">TLS certificate information:</span>
<span id="LC2" class="line" lang="plaintext">    Owner:</span>
<span id="LC3" class="line" lang="plaintext">        Common Name: mail.server-speed.net</span>
<span id="LC4" class="line" lang="plaintext">    Issuer:</span>
<span id="LC5" class="line" lang="plaintext">        Common Name: Let's Encrypt Authority X3</span>
<span id="LC6" class="line" lang="plaintext">        Organization: Let's Encrypt</span>
<span id="LC7" class="line" lang="plaintext">        Country: US</span>
<span id="LC8" class="line" lang="plaintext">    Validity:</span>
<span id="LC9" class="line" lang="plaintext">        Activation time: Sat 27 Oct 2018 12:25:08 AM CEST</span>
<span id="LC10" class="line" lang="plaintext">        Expiration time: Thu 24 Jan 2019 11:25:08 PM CET</span>
<span id="LC11" class="line" lang="plaintext">    Fingerprints:</span>
<span id="LC12" class="line" lang="plaintext">        SHA256: 7B:76:B8:0A:FA:E4:AE:00:B6:8F:24:0E:59:3E:11:BB:67:8F:AC:89:F2:65:0E:4B:BB:4D:12:E4:CB:DD:64:FE</span>
<span id="LC13" class="line" lang="plaintext">        SHA1 (deprecated): BA:83:63:D4:47:65:88:62:1D:5A:5E:73:87:C0:E6:5C:D3:31:AC:D0</span>
<span id="LC14" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: Preparing Packet Application Data(23) with length: 16 and min pad: 0</span>
<span id="LC15" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: Sent Packet[1] Application Data(23) in epoch 2 and length: 38</span>
<span id="LC16" class="line" lang="plaintext">--> EHLO localhost</span>
<span id="LC17" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: SSL 3.3 Application Data packet received. Epoch 2, length: 250</span>
<span id="LC18" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: Expected Packet Application Data(23)</span>
<span id="LC19" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: Received Packet Application Data(23) with length: 250</span>
<span id="LC20" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: Decrypted Packet[0] Handshake(22) with length: 233</span>
<span id="LC21" class="line" lang="plaintext">gnutls[3]: ASSERT: buffers.c[get_last_packet]:1171</span>
<span id="LC22" class="line" lang="plaintext">gnutls[4]: HSK[0x5604f0be1070]: NEW SESSION TICKET (4) was received. Length 229[229], frag offset 0, frag length: 229, sequence: 0</span>
<span id="LC23" class="line" lang="plaintext">gnutls[3]: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1431</span>
<span id="LC24" class="line" lang="plaintext">gnutls[4]: HSK[0x5604f0be1070]: parsing session ticket message</span>
<span id="LC25" class="line" lang="plaintext">gnutls[3]: ASSERT: record.c[_gnutls_recv_in_buffers]:1560</span>
<span id="LC26" class="line" lang="plaintext">gnutls[3]: ASSERT: record.c[_gnutls_recv_int]:1759</span>
<span id="LC27" class="line" lang="plaintext">gnutls[3]: ASSERT: buffers.c[_gnutls_io_write_flush]:696</span>
<span id="LC28" class="line" lang="plaintext">gnutls[5]: REC: Sending Alert[1|0] - Close notify</span>
<span id="LC29" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: Preparing Packet Alert(21) with length: 2 and min pad: 0</span>
<span id="LC30" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: Sent Packet[2] Alert(21) in epoch 2 and length: 24</span>
<span id="LC31" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: Start of epoch cleanup</span>
<span id="LC32" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: End of epoch cleanup</span>
<span id="LC33" class="line" lang="plaintext">gnutls[5]: REC[0x5604f0be1070]: Epoch #2 freed</span>
<span id="LC34" class="line" lang="plaintext">msmtp: cannot read from TLS connection: the operation timed out</span>
<span id="LC35" class="line" lang="plaintext"></span></code></pre>
<p dir="auto">Also here's my msmtp config:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">defaults</span>
<span id="LC2" class="line" lang="plaintext">auth plain</span>
<span id="LC3" class="line" lang="plaintext">tls on</span>
<span id="LC4" class="line" lang="plaintext">tls_starttls on</span>
<span id="LC5" class="line" lang="plaintext">tls_certcheck on</span>
<span id="LC6" class="line" lang="plaintext">tls_trust_file /etc/ssl/certs/ca-certificates.crt</span>
<span id="LC7" class="line" lang="plaintext"></span>
<span id="LC8" class="line" lang="plaintext">account flo</span>
<span id="LC9" class="line" lang="plaintext">host mail.server-speed.net</span>
<span id="LC10" class="line" lang="plaintext">port 587</span>
<span id="LC11" class="line" lang="plaintext">from bluewind@xinu.at</span>
<span id="LC12" class="line" lang="plaintext">user mail-flo</span>
<span id="LC13" class="line" lang="plaintext">passwordeval getpw-single msmtp3</span>
<span id="LC14" class="line" lang="plaintext"></span>
<span id="LC15" class="line" lang="plaintext">account default : flo</span></code></pre>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777777;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/644">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/94e3843b272adaa20dc7660d9d4b461e/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/644"}}</script>
</p>
</div>
</body>
</html>