no shared cipher openssl

lists at lazygranch.com lists at lazygranch.com
Mon Nov 16 09:54:16 EET 2020



On Sun, 15 Nov 2020 17:31:07 -0500
Mike Schroeder <mikeschroe at gmail.com> wrote:

> CentOS 7
> Dovecot 2.2.36
> 
> Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth
> attempts in 0 secs):
> user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking:
> SSL_accept() failed:
> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher,
> session=<>
> 
> Was working fine for over a year, until the cert expired and I
> replaced it. I've tried the good cert I have for https and I used the
> Dovecot.org script to generate a self-signed certificate.
> 
> 10-ssl.conf
> ## SSL settings
> #ssl = required
> ssl = yes
> #ssl = no
> ssl_cert = </etc/pki/dovecot/certs/mydomain.com.crt
> ssl_key =  </etc/pki/dovecot/private/mydomain.com.key
> #ssl_ca =
> #ssl_require_crl = yes
> #ssl_client_ca_dir =
> #ssl_client_ca_file =
> #ssl_verify_client_cert = no
> #ssl_cert_username_field = commonName
> #ssl_dh_parameters_length = 1024
> #ssl_protocols = !SSLv3
> 
> # SSL ciphers to use
> # ols values  ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> ssl_cipher_list =
> ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:
> !RC4:!ADH:!LOW at STRENGTH
> 
> # Prefer the server's order of ciphers over client's.
> #ssl_prefer_server_ciphers = no
> 
> # Prefer the server's order of ciphers over client's.
> #ssl_prefer_server_ciphers = no
> # SSL crypto device to use, for valid values run "openssl engine"
> #ssl_crypto_device =
> 
> # SSL extra options. Currently supported options are:
> #   no_compression - Disable compression.
> #   no_ticket - Disable SSL session tickets.
> #ssl_options =
> 
> ===========================
> # openssl x509 -dates -in mydomain.com.crt
> notBefore=Nov 11 16:31:35 2020 GMT
> notAfter=Nov 11 16:31:35 2022 GMT
> -----BEGIN CERTIFICATE-----
>              :
> ===========================
>  # openssl pkey -in mydomain.com.key
> -----BEGIN PRIVATE KEY-----
>               :
> 
> Thanks for taking a look.  Any ideas on what I should do next to
> debug?
> 
> Mike

I remembered this problem was posted and still had the reply post from
Viktor. This may or may not be relevant. A search on this text will
probably drag up the whole thread.
---------------
Specifically, an ECDSA P-256 certificate, but some systems don't (yet?)
support ECDSA.  You'd need an additional RSA certificate to interoperate
with their sending MTA's limited STARTTLS cipher/protocol repertoire.
--------------

When this thread went around I looked at my logs and found some no
auth complaints on my dovecot log. I believe they were trying to use
the sslv3 to hack my server. Or at least see if it is hackable. Since
my email server is a personal one and the attack was from a hosting
company, I blocked server IP space.

The weird thing I get your error now myself but not consistently. Here
is an example.
-------------------------------
Nov 16 04:18:37 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=myvpn, lip=myserverip, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<rXchrDG06qvGx2p9>
Nov 16 04:18:37 imap-login: Info: Login: user=<me at mydomain.com>, method=PLAIN, rip=myvpn, lip=myserverip, mpid=11710, TLS, session=<DSIjrDG05KvGx2p9>

However the problem isn't present at the moment.



More information about the dovecot mailing list