And as joel mentioned, a fix is already arriving for this - there was a bug in SSLv2 compatible handshake initiation, and Paypal still has it enabled... (yeeeeeeuch)
On Mon, Mar 6, 2017 at 3:48 PM, Bob Beck <b...@obtuse.com> wrote: > > Move it to tech@ from misc.. not libressl.. libressl is not special ;) > > On Mon, Mar 6, 2017 at 3:21 PM, Kirill Miazine <k...@krot.org> wrote: > >> Moving to libressl@ from misc@, as it's a LibreSSL issue. >> >> * Joel Sing [2017-03-05 23:01]: >> >> On Thursday 02 March 2017 13:28:08 Kirill Miazine wrote: >>> >>>> Recently I've noticed a number of error messages in my Exim mail log: >>>> >>>> TLS error on connection from mx1.slc.paypal.com (mx0.slc.paypal.com >>>> ) >>>> [173.0.84.226] \ (SSL_accept): error:1403741B:SSL >>>> routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert decrypt error TLS client >>>> disconnected cleanly (rejected our certificate?) >>>> >>> >>> This is most likely the same issue as that reported on the libressl@ >>> mailing >>> list a day or so ago - expect a fix to arrive shortly. >>> >> >> I rebuilt exim on latest snapshot (OpenBSD 6.1-beta (GENERIC.MP) #213: >> Mon Mar 6 12:31:59 MST 2017) and the error looks different now: >> >> TLS error on connection from mx0.phx.paypal.com [66.211.168.230] \ >> (SSL_accept): error:14039119:SSL routines:ACCEPT_SR_CERT_VRFY:decryption >> \ >> failed or bad record mac >> >> >> -- >> -- Kirill Miazine <k...@krot.org> >> >> >