Am 31.05.21 um 13:44 schrieb Marcin Gryszkalis via Exim-users:
Hi, I have problem with one server connecting to my exim.
Just after Client Hello server sends "Handshake Failure" and closes
connection.
exim's cipher list is wide
ALL:!EXPORT:!DES:!RC2:!RC4:!MD5:!PSK:!aNULL:!eNULL:!EXP:!SRP:!DSS:!DHE:!3DES
and contains ciphers that are mentioned by client, the same for
curves, signatures etc. The only difference is extended_master_secret
is not supported by exim but I guess it should be ignored.
The client did not offer a cipher you have allowed.
You can do various tests to find out with openssl's s_client:
Firts find out, what you would offer with openssl:
$ openssl ciphers
now you can compare it with the list the client send or you do it the
hard way and test it manually:
Examples:
$ openssl s_client --connect c1:25 -starttls smtp -ssl3
CONNECTED(00000003)
140007688099648:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40
2021-05-31 14:32:15 TLS error on connection from (mail.example.com)
[XXXXXXXXXXX] (SSL_accept (SSLv3)): error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
$ openssl s_client --connect c1:25 -starttls smtp -tls1 -cipher
RSA-PSK-AES128-CBC-SHA ( this one would work with tls1_3+ only )
CONNECTED(00000003)
140164130756416:error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no
ciphers available:ssl/statem/statem_clnt.c:3801:No ciphers enabled for
max supported SSL/TLS version
2021-05-31 14:34:42 TLS error on connection from (mail.example.com)
[XXXXXXXXXXX] (SSL_accept): error:140940F4:SSL
routines:ssl3_read_bytes:unexpected message
TLS 1.3:
$ openssl s_client --connect c1:25 -starttls smtp -tls1_3 -cipher
RSA-PSK-AES128-CBC-SHA
best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
