You wouldn't believe it. Just discovered that the load balancers in
front of Exim had been configured to rewrite the payload and forge
STARTTLS before it even hit the mailserver. I've reconfigured the load
balancers and Exim is behaving as expected now. Thought I was going mad
making all those changes and them having no effect!
Kind Regards
Tom Vernon
On 22/03/2015 09:28, Viktor Dukhovni wrote:
On Sun, Mar 22, 2015 at 08:59:39AM +0000, Jeremy Harris wrote:
On 19/03/15 01:09, Tom Vernon wrote:
2015-03-19 00:04:02 TLS error on connection from (ME) [xx.xx.xx.xx]
(SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol
Sounds like an ssl protocol version issue.
Almost always, "unknown protocol" means that the data received was
not a TLS client HELLO at all, but rather some cleartext or other
data that is not a TLS handshake (in some rare cases a malformed
TLS record-layer packet due to implementation bugs).
From ssl/s23_srvr.c:
if ((type < 1) || (type > 3)) {
/* bad, very bad */
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
goto err;
}
The point of the code sample, is that the protocol is not any
plausible SSL/TLS version that's ever been defined.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
