[gnutls-help] Exim + GnuTLS 2.12.20 and inbound connections from outlook.com

Heiko Schlittermann hs at schlittermann.de
Thu Feb 23 12:44:11 CET 2017


I experience a strange issue with Exim (4.80), GnuTLS 2.12.20 on "my"
side and outlook.com on the other side.

Exim+GnuTLS are running as a server.  Outlook.com is configured to send
via authenticated SMTP via my server.  They try to establish a
connection to port 587 and fail right after "change cipher spec" and
"encrypted handshake message".

I'll append a pcap file, in case somebody can get more information from

Exim uses (IMHO) default settings when initializing the GnuTLS library.
A recent Exim version (4.88) doesn't change the behaviour. But if I
exchange GnuTLS for OpenSSL the issues goes away.

Is there any way to configure (priority string?) GnuTLS for
interoperability with outlook.com.

Some observation from Exim debugging: 

    GnuTLS using default session cipher/priority "NORMAL"
    cipher: TLS1.2:RSA_AES_256_CBC_SHA256:256

followed by an connection drop (outlook.com sends FIN).

Working connections from outlook.com use ECDHE-RSA-AES256-GCM-SHA384
when I have OpenSSL on my side.

Any hint is appreciated. Does Exim need to do something when
initializing the GnuTLS library (I'm asking as an Exim developer).

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: outlook.pcap
Type: application/vnd.tcpdump.pcap
Size: 7800 bytes
Desc: not available
URL: </pipermail/attachments/20170223/9cceb9c7/attachment-0001.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170223/9cceb9c7/attachment-0001.sig>

More information about the Gnutls-help mailing list