no shared cipher openssl
Aki Tuomi
aki.tuomi at open-xchange.com
Mon Nov 16 10:11:22 EET 2020
> On 16/11/2020 09:54 lists at lazygranch.com <lists at lazygranch.com> wrote:
>
>
> On Sun, 15 Nov 2020 17:31:07 -0500
> Mike Schroeder <mikeschroe at gmail.com> wrote:
>
> > CentOS 7
> > Dovecot 2.2.36
> >
> > Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth
> > attempts in 0 secs):
> > user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking:
> > SSL_accept() failed:
> > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher,
> > session=<>
> >
> > Was working fine for over a year, until the cert expired and I
> > replaced it. I've tried the good cert I have for https and I used the
> > Dovecot.org script to generate a self-signed certificate.
> >
> > 10-ssl.conf
> > ## SSL settings
> > #ssl = required
> > ssl = yes
> > #ssl = no
> > ssl_cert = </etc/pki/dovecot/certs/mydomain.com.crt
> > ssl_key = </etc/pki/dovecot/private/mydomain.com.key
> > #ssl_ca =
> > #ssl_require_crl = yes
> > #ssl_client_ca_dir =
> > #ssl_client_ca_file =
> > #ssl_verify_client_cert = no
> > #ssl_cert_username_field = commonName
> > #ssl_dh_parameters_length = 1024
> > #ssl_protocols = !SSLv3
> >
> > # SSL ciphers to use
> > # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> > ssl_cipher_list =
> > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:
> > !RC4:!ADH:!LOW at STRENGTH
> >
> > # Prefer the server's order of ciphers over client's.
> > #ssl_prefer_server_ciphers = no
> >
> > # Prefer the server's order of ciphers over client's.
> > #ssl_prefer_server_ciphers = no
> > # SSL crypto device to use, for valid values run "openssl engine"
> > #ssl_crypto_device =
> >
> > # SSL extra options. Currently supported options are:
> > # no_compression - Disable compression.
> > # no_ticket - Disable SSL session tickets.
> > #ssl_options =
> >
> > ===========================
> > # openssl x509 -dates -in mydomain.com.crt
> > notBefore=Nov 11 16:31:35 2020 GMT
> > notAfter=Nov 11 16:31:35 2022 GMT
> > -----BEGIN CERTIFICATE-----
> > :
> > ===========================
> > # openssl pkey -in mydomain.com.key
> > -----BEGIN PRIVATE KEY-----
> > :
> >
> > Thanks for taking a look. Any ideas on what I should do next to
> > debug?
> >
> > Mike
>
> I remembered this problem was posted and still had the reply post from
> Viktor. This may or may not be relevant. A search on this text will
> probably drag up the whole thread.
> ---------------
> Specifically, an ECDSA P-256 certificate, but some systems don't (yet?)
> support ECDSA. You'd need an additional RSA certificate to interoperate
> with their sending MTA's limited STARTTLS cipher/protocol repertoire.
> --------------
>
> When this thread went around I looked at my logs and found some no
> auth complaints on my dovecot log. I believe they were trying to use
> the sslv3 to hack my server. Or at least see if it is hackable. Since
> my email server is a personal one and the attack was from a hosting
> company, I blocked server IP space.
>
> The weird thing I get your error now myself but not consistently. Here
> is an example.
> -------------------------------
> Nov 16 04:18:37 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=myvpn, lip=myserverip, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<rXchrDG06qvGx2p9>
> Nov 16 04:18:37 imap-login: Info: Login: user=<me at mydomain.com>, method=PLAIN, rip=myvpn, lip=myserverip, mpid=11710, TLS, session=<DSIjrDG05KvGx2p9>
>
> However the problem isn't present at the moment.
Dovecot supports alternative certificate if you have problems with ECDSA and need to use RSA for them.
See https://doc.dovecot.org/settings/core/#ssl-alt-cert
Aki
More information about the dovecot
mailing list