[gnutls-help] Exim + GnuTLS 2.12.20 and inbound connections from outlook.com

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Feb 23 13:36:43 CET 2017

On Thu, Feb 23, 2017 at 12:44 PM, Heiko Schlittermann
<hs at schlittermann.de> wrote:
> Hello,
> I experience a strange issue with Exim (4.80), GnuTLS 2.12.20 on "my"
> side and outlook.com on the other side.
> Exim+GnuTLS are running as a server.  Outlook.com is configured to send
> via authenticated SMTP via my server.  They try to establish a
> connection to port 587 and fail right after "change cipher spec" and
> "encrypted handshake message".
> I'll append a pcap file, in case somebody can get more information from
> this.
> Exim uses (IMHO) default settings when initializing the GnuTLS library.
> A recent Exim version (4.88) doesn't change the behaviour. But if I
> exchange GnuTLS for OpenSSL the issues goes away.

 Versions prior to GnuTLS 2.12.24 had few issues related to TLS 1.2
that were addressed with the recently released 2.12.24. Thus my first
recommendation would be to try with that version first.

> Is there any way to configure (priority string?) GnuTLS for
> interoperability with outlook.com.
> Some observation from Exim debugging:
>     GnuTLS using default session cipher/priority "NORMAL"
>     cipher: TLS1.2:RSA_AES_256_CBC_SHA256:256
> followed by an connection drop (outlook.com sends FIN).
> Working connections from outlook.com use ECDHE-RSA-AES256-GCM-SHA384
> when I have OpenSSL on my side.

Gnutls prior to 3.0.x does not have support for GCM or ECDHE. Thus
servers which have been restricted only to ECDHE or GCM will fail to
interoperate. To find out whether that's the case you can use
gnutls-cli-debug and gnutls-cli to test against that domain.


More information about the Gnutls-help mailing list