[exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSLv3 d…

Top Page
Delete this message
Reply to this message
Author: Mike Tubby
Date:  
To: exim-users
Subject: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSLv3 disabled?
All,

I have recently installed our COMODO 384-bit ECC PositiveSSL Widlcard
Certificate (*.thorcom.net) on relay1|relay2|relay3.thorcom.net and am
seeing lots of TLS errors:

     (SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no 
shared cipher


followed by:

     TLS client disconnected cleanly (rejected our certificate?)


from hosts that I'm fairly sure used to work ok with our old self-signed
2048-bit RSA cert.

Example:

2017-03-29 18:45:25 TLS error on connection from
358939-web3.datainterconnect.co.uk [92.52.73.71] (SSL_accept):
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:45:53 TLS error on connection from
358938-web2.datainterconnect.co.uk [92.52.73.70] (SSL_accept):
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:51:20 TLS error on connection from simone.ucs.mun.ca
[134.153.232.76] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:51:30 TLS error on connection from simone.ucs.mun.ca
[134.153.232.76] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:53:10 TLS error on connection from mx1.slc.paypal.com
(mx2.slc.paypal.com) [173.0.84.226] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:53:24 TLS error on connection from mx2.slc.paypal.com
(mx0.slc.paypal.com) [173.0.84.227] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:53:26 TLS error on connection from mx2.slc.paypal.com
(mx0.slc.paypal.com) [173.0.84.227] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:53:43 TLS error on connection from mx0.slc.paypal.com
[173.0.84.225] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:54:25 TLS error on connection from avasout05.plus.net
[84.93.230.250] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:54:36 TLS error on connection from mail.wia.org.au
(echo.vintek.net) [223.25.225.6] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:54:36 TLS error on connection from avasout05.plus.net
[84.93.230.250] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:58:14 TLS error on connection from
ng12-ip5.bullet.mail.ne1.yahoo.com [98.138.215.211] (SSL_accept):
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 18:58:25 TLS error on connection from msbadger0201.apple.com
[17.254.6.118] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:00:46 TLS error on connection from avasout05.plus.net
[84.93.230.250] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:00:46 TLS error on connection from avasout05.plus.net
[84.93.230.250] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:06:17 TLS error on connection from
mail-oln040092071039.outbound.protection.outlook.com
(EUR03-DB5-obe.outbound.protection.outlook.com) [40.92.71.39]
(SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher
2017-03-29 19:06:18 TLS error on connection from avasout06.plus.net
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:06:18 TLS error on connection from avasout06.plus.net
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:09:18 TLS error on connection from
mail-sn1nam01on0075.outbound.protection.outlook.com
(NAM01-SN1-obe.outbound.protection.outlook.com) [104.47.32.75]
(SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher
2017-03-29 19:10:48 TLS error on connection from avasout06.plus.net
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:10:48 TLS error on connection from avasout06.plus.net
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:10:49 TLS error on connection from avasout06.plus.net
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:12:31 TLS error on connection from (mail.thorcom.co.uk)
[2a00:2381:19c6::2000] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2017-03-29 19:17:34 TLS error on connection from avasout06.plus.net
[212.159.14.18] (SSL_accept): error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher

I've left the repeated: TLS client disconnected cleanly (rejected our
certificate?) out of this as it adds nothing ...

This appears to suggest that the client is attempting SSLv3 (unless the
debug messages are misleading) however I have SSLv3 disabled in Exim config.

My config snippets:


#
# Enable TLS with strong ciphers
#
MAIN_TLS_ENABLE = true

# Comodo ECC new on 17-MAR-2017
tls_certificate = /........./thorcom.net-comodo-bundle.crt
tls_privatekey = /........./thorcom.net.key

# advertise TLS to everyone
tls_advertise_hosts = *

# Ciphers: all the EC and GCM first then degrade gracefully
tls_require_ciphers =
kEECDH+AESGCM:ECDH+AESGCM:DH+AESGCM:RSA+AESGCM:ECDH+AES:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:RC4+MEDIUM:!aNULL:!eNULL:!MD5:!DSS

# disable SSLv2 SSLv3 and compression - force server preference for ciphers
openssl_options = -all +no_sslv2 +no_sslv3 +no_compression
+cipher_server_preference

# advertise auth to TLS sessions only
auth_advertise_hosts = ${if eq {$tls_in_cipher}{}{}{*}}



Running the tests at ssl-tools.net:

     https://ssl-tools.net/mailservers/relay1.thorcom.net


appears to show that everything is in order and that SLv3 is, in fact,
disabled:


    Servers



      Incoming Mails


These servers are responsible for incoming mails
to*@???*addresses.

Hostname / IP address     Priority     STARTTLS     Certificates     Protocol     

    
relay1.thorcom.net
195.171.43.32
    -     
supported
    *.thorcom.net 
<https://ssl-tools.net/mailservers/relay1.thorcom.net#f4b04d03d0516cf01a5d7a771d4a4dc43779446d> 



DANE
    missing
PFS
    supported
Heartbleed
    not vulnerable
Weak ciphers
    not found


    

* TLSv1.2
* TLSv1.1
* TLSv1.0
* SSLv3

    2017-03-17
3.0 s
relay1.thorcom.net
2a00:2381:19c6::3200
    -     
supported
    *.thorcom.net 
<https://ssl-tools.net/mailservers/relay1.thorcom.net#f4b04d03d0516cf01a5d7a771d4a4dc43779446d> 



DANE
    missing
PFS
    supported
Heartbleed
    not vulnerable
Weak ciphers
    not found


    

* TLSv1.2
* TLSv1.1
* TLSv1.0
* SSLv3

    2017-03-17
3.0 s




So, is the problem:

     1. clients rejecting my ECC 384 bit certificate?
     2. clients persisting in trying SSLv3 when it is, in fact, disabled
     3. brain dead clients unable to use decent modern/strong/PFS 
ciphers - some of which are mandated in TLSv1.0, v1.1 and v1.2



Mike