On Mon, Dec 06, 2021 at 10:35:45AM -0500, Steve wrote: > Hello. > > I recently upgraded my mail server from openbsd 6.8 to 7.0, and I now have one > person that cannot email me due to: > > io-error: handshake failed: error:140260C1:SSL > routines:ACCEPT_SR_CLNT_HELLO:no shared cipher > > I'm guessing the allowed ciphers changed on my end after the upgrade. Does > anyone know what ciphers I would need to add back? > > Thank you. Steve.
The person attempting to email me is using: TLSv1.2:ECDHE-RSA-AES256-SHA384:256 In my smtpd.conf, if my "listen" statement has "ciphers all" (or insecure) the person can email me with the above crypto. If cipher is set to default (or secure) it will block the email with "no shared cipher" error message. Where do you find the definition of cipher settings: all, insecure, default, etc? The "man tls_config_set_ciphers" mentions them but doesn't define them. Neither does "man openssl". "TLSv1.2:ECDHE-RSA-AES256-SHA384:256" looks reasonably modern, why is it not part of "ciphers secure"? Steve
