Am 2015-01-09 07:27, schrieb m...@ruggedinbox.com:
Hi all, when hardening dovecot against the POODLE vulnerability,
we followed the advise to disable SSL2 and SSL3
but this is giving problems with some email clients (claws-mail).
ssl_protocols = !SSLv2 !SSLv3
results in the following error:
dovecot: pop3-login: Disconnected (no auth attempts in 1 secs):
user=<>, rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed:
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher,
session=<2C8jBjIMmQBVGNd1>
The error message say 'no shared ciphers'. So it is not related to the
ssl_protocols setting. The error means that there is no common cipher
between the server and client.
What is your setting for ssl_cipher_list?
Try to expand the cipher string with the openssl cipher command:
openssl ciphers '<your ssl_cipher_list string>'
Make sure you did not include !SSLv3 in the ciphers string. SSLv3 in the
ciphers string is an alias for all ciphers defined in SSLv3. It includes
also ciphers like 'DHE-RSA-AES256-SHA'. On older openssl version like
0.9.8 there will be not much left without these ciphers:
$ openssl ciphers 'ALL:!SSLv3'
DES-CBC3-MD5:DES-CBC-MD5:EXP-RC2-CBC-MD5:RC2-CBC-MD5:EXP-RC4-MD5:RC4-MD5
If you exclude also LOW and MD5 there is nothing left:
$ openssl ciphers 'ALL:!LOW:!MD5:!SSLv3'
Error in cipher list
14478:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
match:ssl_lib.c:1188:
--
Markus
