Bug#926900: sslv3 alert illegal parameter

[sergio]

Package: reportbug
Version: 7.5.2
Severity: normal

Dear Maintainer,

I'm not sure if this is a reportbug issue, may be python3-reportbug or
python3 itself. Please correct me.


I've an exim4-daemon-heavy 4.92-2 running on buster with

CIPHERS_587 = SECURE256:-CIPHER-ALL:+AES-256-GCM:+CHACHA20-POLY1305

It works fine with all clients that I have, except reportbug:

Connecting to mail:587 via SMTP...
SMTP send failure: [SSL: SSLV3_ALERT_ILLEGAL_PARAMETER] sslv3 alert
illegal parameter (_ssl.c:1056). Do you want to retry (or else save the
report and exit)? [Y|n|q|?]?


exim -d+tls -bd shows:
...
SMTP>> 220 TLS go ahead
GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
GnuTLS<3>: ASSERT:
../../../lib/ext/server_name.c[_gnutls_server_name_recv_params]:109
GnuTLS<3>: ASSERT: ../../lib/hello_ext.c[hello_ext_parse]:273
GnuTLS<3>: ASSERT: ../../lib/extv.c[_gnutls_extv_parse]:69
GnuTLS<3>: ASSERT: ../../lib/hello_ext.c[_gnutls_parse_hello_extensions]:306
GnuTLS<3>: ASSERT: ../../lib/handshake.c[read_client_hello]:698
GnuTLS<3>: ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1545
GnuTLS<3>: ASSERT: ../../lib/handshake.c[handshake_server]:3400
LOG: MAIN
TLS error on connection from [IP] (gnutls_handshake): An illegal
parameter has been received.
TLS failed to start
...

--
sergio.

[Laurent Bigonville]

When looking at the documentation of smtplib (the python library used here), it says:

An SMTP_SSL instance behaves exactly the same as instances of SMTP.
SMTP_SSL should be used for situations where SSL is required from the beginning of the connection and using starttls() is not appropriate.
If host is not specified, the local host is used. If port is zero, the standard SMTP-over-SSL port (465) is used.

So that means that SMTP_SSL is used for connections where SSL is present from the start and not when STARTTLS is used to upgrade the connection to a secure one.

The documentation of reportbug says: smtptls:  Enables TLS encryption for the SMTP connection, using STARTTLS. This setting is ignored if you connect to port 465, in which case SSL/TLS will always be used.

So either the documentation is wrong, of the code is.

The following python code works:

>>> smtp = smtplib.SMTP('mail-submit.debian.org',587)
>>> smtp.ehlo()
(250, b'stravinsky.debian.org Hello eriador.bigon.be [2a02:a03f:65c5:3301:a912:aba9:d92d:4965]\nSIZE 104857600\n8BITMIME\nCHUNKING\nSTARTTLS\nSMTPUTF8\nHELP')
>>> smtp.starttls()
(220, b'TLS go ahead')
>>> smtp.quit()
(221, b'stravinsky.debian.org closing connection')
>>> 

While this is not:

>>> smtplib.SMTP_SSL('mail-submit.debian.org',587)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.11/smtplib.py", line 1050, in __init__
    SMTP.__init__(self, host, port, local_hostname, timeout,
  File "/usr/lib/python3.11/smtplib.py", line 255, in __init__
    (code, msg) = self.connect(host, port)
                  ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 341, in connect
    self.sock = self._get_socket(host, port, self.timeout)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 1057, in _get_socket
    new_socket = self.context.wrap_socket(new_socket,
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 1108, in _create
    self.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1383, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1006)
>>>