Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSL…

Top Page
Delete this message
Reply to this message
Author: Michael J. Tubby B.Sc. MIET
Date:  
To: Chris Siebenmann, Exim User List
New-Topics: Re: [exim] TLS certificate of hotmail.co.uk primary MX
Subject: Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSLv3 disabled?


On 3/30/2017 4:18 PM, Chris Siebenmann wrote:
>> I think I'm going to have to go and buy a plain RSA2048/SHA256 cert
>> from RapidSSL or Comodo for one host (relay1.thorcom.net) and see if
>> the problem goes away :-(
> One option for testing purposes is a Let's Encrypt certificate (which are
> normally issued with SHA256).
>
> You could potentially set it up on a separate host that's only running
> a mailer temporarily, and then deliberately send email to it from
> outlook.com.
>
>     - cks



I've just knocked up a script to build self-signed RSA2048/SHA256
keys/certs on our production boxes and the problem with outlook.com has
gone away - outlook.com outbound hosts are now connecting and delivering
again:

2017-03-30 16:32:38 1ctc3y-0006rL-4Z <= karen.rowland@???
H=mail-oln040092067049.outbound.protection.outlook.com
(EUR02-AM5-obe.outbound.protection.outlook.com) [40.92.67.49] P=esmtps
X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=no K S=2016080
id=AM5PR0901MB1538D674D09534853BF3C3D8EC340@???

and they're using TLSv1.2 with strong ciphers ECDHE-RSA-AES256-SHA384 so
you'd think they'd be able to get the ECC cert stuff working...


What's more now I find that Microsoft are also 'broken' in the other
direction as their host names and certificates don't match!

2017-03-30 16:47:58 1ctcIh-0008AK-1L [104.47.54.33] SSL verify error:
certificate name mismatch: DN="/C=US/ST=WA/L=Redmond/O=Microsoft
Corporation/OU=Microsoft Corporation/CN=mail.protection.outlook.com"
H="hotmail-co-uk.olc.protection.outlook.com"

Perhaps they haven't heard of load balancers and/or wildcard
certificates yet over in Redmond?



Mike