[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

exim4 & libgnutls26: "A TLS packet with unexpected length was received."

Dear Longtermers

Watching the exim logs of my wheezy server, I discover a lot of
connection aborts of incoming TLS connections. The error is quite
generic: "A TLS packet with unexpected length was received." This seems
to be a often observed problem since long time.

Unfortunately the error is increasingly more often observed today
compared to earlier, e.g. today vs. October 2015: 41% vs. 3% (Counting
the error over one month in relation to the number of received
messages). It occurs with ebay, sendgrid and few others. There are many
TLS connections that do work well without an error.

There are some bugs reports related to it, with a long history:

#740160 - gnutls unusable with cacert SHA2-512 sigs

#737921 - [TLS1.2] gnutls only likes SHA1 and SHA256 certificates

#482404 - A TLS packet with unexpected length was received when
receiving mail from MS Exchange 2003

#348046 - multiple GnuTLS issues - please only add information to
blocking bugs

One reason is libgnutls26 fails with sha512 keys, this can be worked
around by adding the corresponding domains to tls_try_verify_exceptions.
Unfortunately this is not a remedy for all connecting hosts, it works
with gmx but not others.

With the increasing number of this error emails get delayed or do not
get delivered at all.

I know LTS is not about fixing bugs, this one is critical though and it
affects probably many wheezy installations. As it gets worse with time,
it might be that some one would like to care anyway or maybe there is a
known solution to this problem I haven't found in the net. Any advice is
highly appreciated - I want to keep encrypted connections as the first
option for connecting hosts.

Thank you for your help!

Best regards, Adrian Zaugg.

Reply to: