Re: [exim] TLS error no shared cipher with SSL_accept: error in error

Viktor Dukhovni via Exim-users Mon, 31 May 2021 14:02:32 -0700

On Mon, May 31, 2021 at 11:08:22PM +0300, Evgeniy Berdnikov via Exim-users 
wrote:


> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
> >     Session-ID: ...
> >     Session-ID-ctx:
> >     Master-Key: ...
> >     Key-Arg   : None
> >     PSK identity: None
> >     PSK identity hint: None
> >     SRP username: None
> >     Start Time: 1622470949
> >     Timeout   : 7200 (sec)
> >     Verify return code: 0 (ok)
> > 
> > 
> > But - I tried to specify the curve and it failed
> > 
> > openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher
> > ECDHE-ECDSA-AES256-GCM-SHA384 -curves prime256v1

This cipher requires the server to have an ECDSA certificate,
you've probably only configured an RSA certificate.  The
support SHA384 ciphers in OpenSSL 1.1.1 are:

    $ OpenSSL_1_1_1/bin/openssl ciphers -s -tls1_2 -v ALL+SHA384
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  
Mac=SHA384
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA 
Enc=Camellia(256) Mac=SHA384
    ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) 
Mac=SHA384

>  It looks like recent libssl considers ECDHE-ECDSA-AES256-GCM-SHA384
>  as TLSv1.3-only cipher. And post-handshake message mentions it
>  in some other manner:

That's not the case.

-- 
    Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS error no shared cipher with SSL_accept: error in error

Reply via email to