[exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSLv3 disabled?

Wed, 29 Mar 2017 11:55:42 -0700 

All,
I have recently installed our COMODO 384-bit ECC PositiveSSL Widlcard Certificate (*.thorcom.net) on relay1|relay2|relay3.thorcom.net and am seeing lots of TLS errors: 


    (SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no 
shared cipher


followed by:

    TLS client disconnected cleanly (rejected our certificate?)


from hosts that I'm fairly sure used to work ok with our old self-signed 
2048-bit RSA cert.


Example:


2017-03-29 18:45:25 TLS error on connection from 
358939-web3.datainterconnect.co.uk [92.52.73.71] (SSL_accept): 
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:45:53 TLS error on connection from 
358938-web2.datainterconnect.co.uk [92.52.73.70] (SSL_accept): 
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:51:20 TLS error on connection from simone.ucs.mun.ca 
[134.153.232.76] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:51:30 TLS error on connection from simone.ucs.mun.ca 
[134.153.232.76] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:53:10 TLS error on connection from mx1.slc.paypal.com 
(mx2.slc.paypal.com) [173.0.84.226] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:53:24 TLS error on connection from mx2.slc.paypal.com 
(mx0.slc.paypal.com) [173.0.84.227] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:53:26 TLS error on connection from mx2.slc.paypal.com 
(mx0.slc.paypal.com) [173.0.84.227] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:53:43 TLS error on connection from mx0.slc.paypal.com 
[173.0.84.225] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:54:25 TLS error on connection from avasout05.plus.net 
[84.93.230.250] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:54:36 TLS error on connection from mail.wia.org.au 
(echo.vintek.net) [223.25.225.6] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:54:36 TLS error on connection from avasout05.plus.net 
[84.93.230.250] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:58:14 TLS error on connection from 
ng12-ip5.bullet.mail.ne1.yahoo.com [98.138.215.211] (SSL_accept): 
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:58:25 TLS error on connection from msbadger0201.apple.com 
[17.254.6.118] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:00:46 TLS error on connection from avasout05.plus.net 
[84.93.230.250] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:00:46 TLS error on connection from avasout05.plus.net 
[84.93.230.250] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:06:17 TLS error on connection from 
mail-oln040092071039.outbound.protection.outlook.com 
(EUR03-DB5-obe.outbound.protection.outlook.com) [40.92.71.39] 
(SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no 
shared cipher
2017-03-29 19:06:18 TLS error on connection from avasout06.plus.net 
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:06:18 TLS error on connection from avasout06.plus.net 
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:09:18 TLS error on connection from 
mail-sn1nam01on0075.outbound.protection.outlook.com 
(NAM01-SN1-obe.outbound.protection.outlook.com) [104.47.32.75] 
(SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no 
shared cipher
2017-03-29 19:10:48 TLS error on connection from avasout06.plus.net 
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:10:48 TLS error on connection from avasout06.plus.net 
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:10:49 TLS error on connection from avasout06.plus.net 
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:12:31 TLS error on connection from (mail.thorcom.co.uk) 
[2a00:2381:19c6::2000] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:17:34 TLS error on connection from avasout06.plus.net 
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher



I've left the repeated: TLS client disconnected cleanly (rejected our 
certificate?) out of this as it adds nothing ...



This appears to suggest that the client is attempting SSLv3 (unless the 
debug messages are misleading) however I have SSLv3 disabled in Exim config.


My config snippets:


#
# Enable TLS with strong ciphers
#
MAIN_TLS_ENABLE = true

# Comodo ECC new on 17-MAR-2017
tls_certificate = /........./thorcom.net-comodo-bundle.crt
tls_privatekey = /........./thorcom.net.key

# advertise TLS to everyone
tls_advertise_hosts = *

# Ciphers: all the EC and GCM first then degrade gracefully

tls_require_ciphers = 
kEECDH+AESGCM:ECDH+AESGCM:DH+AESGCM:RSA+AESGCM:ECDH+AES:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:RC4+MEDIUM:!aNULL:!eNULL:!MD5:!DSS


# disable SSLv2 SSLv3 and compression - force server preference for ciphers

openssl_options = -all +no_sslv2 +no_sslv3 +no_compression 
+cipher_server_preference


# advertise auth to TLS sessions only
auth_advertise_hosts = ${if eq {$tls_in_cipher}{}{}{*}}



Running the tests at ssl-tools.net:

    https://ssl-tools.net/mailservers/relay1.thorcom.net


appears to show that everything is in order and that SLv3 is, in fact, 
disabled:



   Servers


     Incoming Mails


These servers are responsible for incoming mails 
to*@relay1.thorcom.net*addresses.


Hostname / IP address   Priority        STARTTLS        Certificates    
Protocol        
        
relay1.thorcom.net
195.171.43.32
        -       
supported

	*.thorcom.net 
<https://ssl-tools.net/mailservers/relay1.thorcom.net#f4b04d03d0516cf01a5d7a771d4a4dc43779446d> 



DANE
   missing
PFS
   supported
Heartbleed
   not vulnerable
Weak ciphers
   not found

        

 * TLSv1.2
 * TLSv1.1
 * TLSv1.0
 * SSLv3

        2017-03-17
3.0 s
relay1.thorcom.net
2a00:2381:19c6::3200
        -       
supported

	*.thorcom.net 
<https://ssl-tools.net/mailservers/relay1.thorcom.net#f4b04d03d0516cf01a5d7a771d4a4dc43779446d> 



DANE
   missing
PFS
   supported
Heartbleed
   not vulnerable
Weak ciphers
   not found

        

 * TLSv1.2
 * TLSv1.1
 * TLSv1.0
 * SSLv3

        2017-03-17
3.0 s



So, is the problem:

    1. clients rejecting my ECC 384 bit certificate?
    2. clients persisting in trying SSLv3 when it is, in fact, disabled

    3. brain dead clients unable to use decent modern/strong/PFS 
ciphers - some of which are mandated in TLSv1.0, v1.1 and v1.2



Mike


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/






















					Reply via email to