Your real problem is that this file is different based on which CentOS you’re 
on [or should I say, which openssl is loaded]. If you have CentOS 7, with 
openssl 1.0.2k, you can tune this file to include each cipher you want [the 
file can actually be 10+ lines long wrapped]. This is so you can remove all the 
“hacked” ciphers, especially to force your clients security to remain high. If 
your running openssl 0.9.x, you don’t get the newer TLS ciphers you need to be 
secure.

 

Using the default is way too low, and if you do, you will where someone gets 
hacked over a ‘free’ WiFi connection [because you had SSL 3.0/TLS 1.0 on].

 

Carl

 

From: Gary Bowling [mailto:g...@gbco.us] 
Sent: Tuesday, September 03, 2019 02:58 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot

 

 

So this may be an issue of the tlsserverciphers file. Some times it's 
interesting not knowing what your doing! haha

 

I guess the question I have is.. What is the proper tlsserverciphers for a 
qmailtoaster with a letsencrypt certificate. If that even makes sense.

 

And what is the proper way to actually do it. I've read multiple things on 
various forums, including here. 

 

One says to do:

echo 
"!EDH:!DHE:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL"
 > /var/qmail/control/tlsserverciphers

 

One says to do:

openssl ciphers 'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES' > 
/var/qmail/control/tlsserverciphers

 

yet another says to create a sym link to the servercert.pem file. 

 

ln -sf /var/qmail/control/servercert.pem /var/qmail/control/tlsserverciphers

 

 

I guess it has to do with how tight you want security to be and maybe 
tlsserverciphers can contain various forms of how to define that. Just looking 
for what "most" people would use for an up to date Centos 7 server.

 

Thanks, Gary

 

On 9/3/2019 11:04 AM, Gary Bowling wrote:

 

I had to get a new cert for my server, which I installed yesterday. Now I'm 
having problems with certain clients logging in. I get the following error in 
the dovecot.log.

 

TLS handshaking: SSL_accept() failed: error:1408A10B:SSL routines: 
ssl3_get_client_hello:wrong version number

 

Any help would be appreciated. 

 

Thanks, Gary 

-- 
____________________
Gary Bowling
____________________

--------------------------------------------------------------------- To 
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
<mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>  For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
<mailto:qmailtoaster-list-h...@qmailtoaster.com>  

--------------------------------------------------------------------- To 
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
<mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>  For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
<mailto:qmailtoaster-list-h...@qmailtoaster.com>  

Reply via email to