[exim] "Could not negotiate a supported cipher suite" with 2…

Top Page
Delete this message
Reply to this message
Author: Magnus Holmgren
Date:  
To: Exim Users
Subject: [exim] "Could not negotiate a supported cipher suite" with 2048-bit RSA server key
Hello, it's been a long time since I got a job and could no longer devote a
lot of time to Exim, and all this time Exim has been doing its thing without
needing much attention.

However, I upgraded my RSA key from a 1024-bit one to 2048 bits the other day
because cacert.org requires at least that strong a key. Also, the certificate
is signed by an intermediate certificate that had to be included in the
tls_certificate file. Now TLS 1.2 doesn't work. mainlog says "Could not
negotiate a supported cipher suite" and openssl s_client says (after sending
the client handshake):

> read from 0xfbbf40 [0xfc1f70] (7 bytes => 0 (0x0))
> 140599792219816:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:177: ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 248 bytes and written 352 bytes


Disabling TLS 1.2 with e.g. tls_require_ciphers = NORMAL:-VERS-TLS1.2 makes
the handshake succeed.

This is on Debian stable with Exim 4.80 and libgnutls 2.12.20. Anyone seen
this before?

You can connect to fw.kibibyte.se:25 and do STARTTLS if you want to see the
certificates. The above workaround is currently in effect, however.

-- 
Magnus Holmgren        holmgren@???
                       (No Cc of list mail needed, thanks)


"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans