You wouldn't believe it. Just discovered that the load balancers in
front of Exim had been configured to rewrite the payload and forge
STARTTLS before it even hit the mailserver. I've reconfigured the load
balancers and Exim is behaving as expected now. Thought I was going mad
making all those changes and them having no effect!
Kind Regards
Tom Vernon
On 22/03/2015 09:28, Viktor Dukhovni wrote:
> On Sun, Mar 22, 2015 at 08:59:39AM +0000, Jeremy Harris wrote:
>
>> On 19/03/15 01:09, Tom Vernon wrote:
>>> 2015-03-19 00:04:02 TLS error on connection from (ME) [xx.xx.xx.xx]
>>> (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
>>> protocol
>> Sounds like an ssl protocol version issue.
> Almost always, "unknown protocol" means that the data received was
> not a TLS client HELLO at all, but rather some cleartext or other
> data that is not a TLS handshake (in some rare cases a malformed
> TLS record-layer packet due to implementation bugs).
>
> From ssl/s23_srvr.c:
>
> if ((type < 1) || (type > 3)) {
> /* bad, very bad */
> SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
> goto err;
> }
>
> The point of the code sample, is that the protocol is not any
> plausible SSL/TLS version that's ever been defined.
>
