Mailing List Archive

Exim 4.90 tls session cache
Hi,

after upgrade to 4.90 I noticed strange behavior on Outlook@win7
(0x800CCC1A "Your Server does not support the connection encryption type
you have specified.")
but it was not typical ciphersuite mismatch - something was really strange
- outlook managed to send the message successfully on 2nd to 4th try!

I grabbed traffic and in failed sessions outlook was breaking connection
(FIN) just after Server Hello.
The only difference was non empty Session ID on Client Hello on failed
connections (Server Hello always contained empty Session ID because exim
disables session cache since 4.90:
https://github.com/Exim/exim/commit/7006ee24ecfd9d8f405f70d38cc36bdd91f8de87
).

I couldn't find any way to disable tls session cache on windows side (it's
possible for SCHANNEL but outlook seems to be using WinHttp library) so I
just rebuilt exim 4.90.1 with following change reverted:

+/* Disable session cache unconditionally */
+
+(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+

and it fixed the problem (now I have non-empty Session ID in Server Hello
and it makes outlook happy).

I wonder if anybody observed similar behavior and managed to find better
fix (on client side probably?).

What about creating a configure knob to disable session cache (let it be on
by default)?

best regards
--
Marcin Gryszkalis, PGP 0xA5DBEEC7 http://fork.pl/gpg.txt


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim 4.90 tls session cache [ In reply to ]
On 08/04/18 23:22, Marcin Gryszkalis via Exim-users wrote:
> after upgrade to 4.90 I noticed strange behavior on Outlook@win7
> (0x800CCC1A "Your Server does not support the connection encryption type
> you have specified.")
> but it was not typical ciphersuite mismatch - something was really
> strange - outlook managed to send the message successfully on 2nd to 4th
> try!

Bug 2255.

> I wonder if anybody observed similar behavior and managed to find better
> fix (on client side probably?).

Apparently not. We thought that disabling the sessions cache on the
IMAP service might help (the supposition is that OE is trying to
re-use the IMAP TLS connection for the SMTP connection, as it only
seems to happen when IMAP is served by the same system) but that
was tried and didn't help.


> What about creating a configure knob to disable session cache (let it be
> on by default)?

Being discussed; see Phil's message an hour before yours.

The upcoming 4.91 will revert to leaving the cache uselessly
enabled; any knob will not appear before 4.92.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim 4.90 tls session cache [ In reply to ]
On 2018-04-09 00:50, Jeremy Harris via Exim-users wrote:
> Bug 2255.

bingo, it seems that exim's bugzilla is not crawled by google

>> I wonder if anybody observed similar behavior and managed to find
>> better
>> fix (on client side probably?).
>
> Apparently not. We thought that disabling the sessions cache on the
> IMAP service might help (the supposition is that OE is trying to
> re-use the IMAP TLS connection for the SMTP connection, as it only
> seems to happen when IMAP is served by the same system) but that
> was tried and didn't help.

That's exactly right - outlook uses session IDs from IMAP in SMTP
connection (I've seen it in pcap). I thought about using different
hostname for imap but it would require updating certs and I didn't want
to wait for this (plus it requires change on all clients, reentering
passwords etc). Additionally I don't know if outlook's cache is hostname
based or IP-based (in latter case hostname change wouldn't help).


> The upcoming 4.91 will revert to leaving the cache uselessly
> enabled; any knob will not appear before 4.92.

great :)

best regards
--
Marcin Gryszkalis, PGP 0xA5DBEEC7
jabber jid:mg@fork.pl

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/