Bug#402665: [Pkg-gnutls-maint] Bug#402665: STARTTLS causes segfault

James Westby jw+debian at jameswestby.net
Wed Dec 13 00:31:27 CET 2006 

On (13/12/06 09:56), Peter Chubb wrote:
> >>>>> "James" == James Westby <jw+debian at jameswestby.net> writes:
> 
> 
> James> Unfortunately the traces you provided are not that
> James> informative. It would be great to get some more information on
> James> the connection.
> 
> 
> It was:
> 	telnet mx.chubb.wattle.id.au 25
> 	ehlo croc
> 	starttls
> and the server died.  It *should* return 220 TLS go ahead.  It's dying
> *before* the TLS handshake starts.

Ah, OK, I see that now, thanks for the clarification.

I haven't had time for a full research, but from a quick look at the
code the next big things it does after 

  initializing GnuTLS as a server

is printed in the log is initialise GnuTLS (surprise, surprise),
specifically it calls 

  gnutls_global_init
  init_dh

The first of these is a GnuTLS function, and it is called by every API
client on every setup, so if it was severely broken then we would
probably know about it by now (I'm not ruling out it being broken
though). The second is an exim gnutls related function that sets up the
DH parameters for the session, or reads them from a file.

The strace output shows /dev/urandom being read which I believe will be
done in the init function (I haven't confirmed yet though) and then exim
dying shortly afterwards.

I shall try and do some more digging in to the code tomorrow, and try
and set up an instance of exim to test this.

> 
> I tried to reproduce the bug (reinstalled 1.4.4-3) and the problem has
> stopped occurring.  I *hate* bugs like that.

Me too. 

Hopefully it will stay this way. You could see if there is anything in
the output of 

  which-pkg-broke exim4
  or
  which-pkg-broke libgnutls13

(which-pkg-broke is in the debian-goodies package). 

If the server is not critical I would appreciate it if you would keep
the buggy version installed and follow up here if the problem reoccurs.

> 
> James>   * Do you have anything strange in the setup? Could I have
> James> your config if there is nothing private in it so that I can set
> James> up test server to beat up?
> 
> The setup is a standard Debian system, with sa_exim and
> exim-daemon-heavy, with the parts in
> conf.d/auth/30_exim4-config_examples uncommented to allow AUTH PLAIN
> and AUTH LOGIN. 
> 
> I'd rather the config wasn't kept on a website forever, so I'll put it
> up at http://gelato.unsw.edu.au/~peterc/exim4-conf.tar.bz2; let me
> know when you've fetched it.

Thanks, I've got it. I'll try and use it soon.

> 
> Other info:  the failing site is a virtual x86 machine under Xen, but
> this shouldn't make any difference.

Yes, it shouldn't. People do have entropy problems without special libc6
packages under Xen, but that shouldn't be causing any segfaults.

> 
> The libgnutls13 package that works is 1.4.2-1 
> 

Ok, thanks,

I'll see if I can bring myself to read the diff between these two
versions.

Thanks,

James

-- 
  James Westby   --    GPG Key ID: B577FE13    --     http://jameswestby.net/
  seccure key - (3+)k7|M*edCX/.A:n*N!>|&7U.L#9E)Tu)T0>AM - secp256r1/nistp256

More information about the Pkg-gnutls-maint mailing list