openssl question

Joseph Tam jtam.home at gmail.com
Wed Jan 10 01:04:58 EET 2018


> TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>
> our dovecot (2.0.9 on redhat) 10-ssl.conf file we have
>
> ssl_cipher_list =
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3

Offhand, I don't know of a fast way to match up client cipher specs
and server cipher specs.  The hard part is trying to figure out what
the client is doing.  Maybe you can turn on dovecot "verbose_ssl = yes"
and that will dump SSL diagnostics logs to point out where server/client
cipher negotiations fail.

You can also try and run "openssl s_server -cipher 'kEECDH:+...'" on an
alternate port/host, point your client at it, and let this utility dump
out the SSL cipher negotions.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list