Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Issues with external servers using incorrect ssl since around new years eve
exim-users at lists
Jan 5, 2024, 2:26 AM
Post #1 of 3 (87 views)
Permalink
Hi All,

I'm noticing an increasing amount of failed connections with :

TLS error on connection from .....  (SSL_accept): error:0A0000C1:SSL
routines::no shared cipher

SSL on the server has not changed nor did exim, so I'm sure it's an
issue on the remote side.

The interessting part is, the server that now fail to supply a valid
cipher could use TLS 1.2 with a correct TLS 1.2 cipher in mid decembre.
After X-Mas they started to fail.

Question: Did anyone of you hear something about an update issue i.e.
for exchange around New Year's Eve?

best regards,
Marius

Attached Files:

Re: Issues with external servers using incorrect ssl since around new years eve [ In reply to ]
exim-users at lists
Jan 5, 2024, 5:15 AM
Post #2 of 3 (87 views)
Permalink
Hi All,

Am 05.01.24 um 11:26 schrieb Cyborg via Exim-users:
> TLS error on connection from .....  (SSL_accept): error:0A0000C1:SSL
> routines::no shared cipher
>
> The interessting part is, the server that now fail to supply a valid
> cipher could use TLS 1.2 with a correct TLS 1.2 cipher in mid decembre.
> After X-Mas they started to fail.
>

I digged deeper into it:

Exim(-> openssl) does not accept one specific TLS 1.2 cipher on incoming
connections anymore.
Fact checked with s_client .... -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384

All other servers, with the identical setup, package versions and
openssl config , do accept this.

I compared /etc/crypto-policies/back-ends/openssl*.config with working
servers with sha256sum. identical.

I even reinstalled all crypto,exim and openssl packages. The problem
persists.

As if there is an additional config file for openssl, that is not in the
policies-path.

stracing the running exim process does not reveal any usefully systemcalls.

Any anyone an idea?

System-Os: Fedora.

Best regards,
Marius

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Issues with external servers using incorrect ssl since around new years eve [ In reply to ]
exim-users at lists
Jan 5, 2024, 5:38 AM
Post #3 of 3 (87 views)
Permalink
D?a 5. januára 2024 13:15:37 UTC používate? Cyborg via Exim-users <exim-users@lists.exim.org> napísal:

>Exim(-> openssl) does not accept one specific TLS 1.2 cipher on incoming connections anymore.
>Fact checked with s_client .... -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384

Do you use EC(DSA) or RSA certificate?

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal