sometimes no shared cipher after upgrade from 2.2 to 2.3
We recently upgraded from dovecot 2.2 to 2.3.7.1-1
Not many, but some users are experiencing difficulties. The dovecot directors log:
Aug 21 14:28:49 director01 dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=redacted, lip=10.0.0.120, TLS handshaking:
SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher, session=
Any ide what could be causing it?
Thanks, Kristijan
On 21/8/2019 16:12, Kristijan Savic - ratiokontakt GmbH via dovecot wrote:
We recently upgraded from dovecot 2.2 to 2.3.7.1-1
Not many, but some users are experiencing difficulties. The dovecot directors log:
Aug 21 14:28:49 director01 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=redacted, lip=10.0.0.120, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=
Any ide what could be causing it?
SSL3 is no longer included in the cipher sets. Try this:
ssl_min_protocol = SSLv3
Am 2019-08-21 15:39, schrieb Lefteris Tsintjelis via dovecot:
[ ... ]
SSL3 is no longer included in the cipher sets. Try this:
ssl_min_protocol = SSLv3
Instead of doing that I recommend to identify the users and teaching them to use a current OS / mail client. SSLv3 should not be used by anyone.
Alexander
On 21/8/2019 18:51, Kristijan Savic - ratiokontakt GmbH via dovecot wrote:
SSL3 is no longer included in the cipher sets. Try this:
ssl_min_protocol = SSLv3
Thanks. Unfortunately, no dice - same error.
Any other tips? I was under the impression "no shared cipher" was rather the problem?
Yes this is exactly the problem but the error is specific to SSL3 shared ciphers.
routines:ssl3_get_client_hello:no shared cipher
You may also want to add this
ssl_cipher_list = ALL
Basically you should focus as to why SSL3 ciphers are not activated. If the above parameter did not work, it is very possible the openssl distribution you have has not included SSL3 support at all. You may have to do some recompiling if this is the case.
If your old clients are only from your internal net and you do not provide any ISP like services you may consider upgrading the clients as you will have quite often issues such as this one in the near future as SSL3 support and below is in the process of being dropped from almost everything.
Yes this is exactly the problem but the error is specific to SSL3 shared ciphers.
routines:ssl3_get_client_hello:no shared cipher
You may also want to add this
ssl_cipher_list = ALL
Basically you should focus as to why SSL3 ciphers are not activated. If the above parameter did not work, it is very possible the openssl distribution you have has not included SSL3 support at all. You may have to do some recompiling if this is the case.
If your old clients are only from your internal net and you do not provide any ISP like services you may consider upgrading the clients as you will have quite often issues such as this one in the near future as SSL3 support and below is in the process of being dropped from almost everything.
Thank you for your input and everyone elses.
You may be right that any solution wouldn't have much longevity - so we will just tell the affected users that older clients are not supported any longer.
On 21 Aug 2019, at 07:12, Kristijan Savic - ratiokontakt GmbH ks@ratiokontakt.de wrote:
ssl3
Any ide what could be causing it?
Old MUAs or bad settings on the MUA. SSLv3 should not be used.
You should NOT try to add support for SSLv3.
-- "Alas, earwax.”
participants (4)
-
@lbutlr
-
Alexander Dalloz
-
Kristijan Savic - ratiokontakt GmbH
-
Lefteris Tsintjelis