Hi, I have problem with one server connecting to my exim.
Just after Client Hello server sends "Handshake Failure" and closes
connection.
exim's cipher list is wide
ALL:!EXPORT:!DES:!RC2:!RC4:!MD5:!PSK:!aNULL:!eNULL:!EXP:!SRP:!DSS:!DHE:!3DES
and contains ciphers that are mentioned by client, the same for curves,
signatures etc. The only difference is extended_master_secret is not
supported by exim but I guess it should be ignored.
Debug is not really helpful - especially strange "error in error"
message. I don't know if/how I can get more details about reasons of error.
debug output
40884 openssl option, adding to 03104000: 02000000 (no_sslv3
+no_sslv2 +cipher_server_preference)
40884 openssl option, adding to 03104000: 01000000 (no_sslv2
+cipher_server_preference)
40884 openssl option, adding to 03104000: 00400000
(cipher_server_preference)
40884 setting SSL CTX options: 0x3504000
40884 Diffie-Hellman initialized from default with 2048-bit prime
40884 ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection
40884 tls_certificate file
'/letsencrypt/certs/mail.domain.com/fullchain.pem'
40884 tls_privatekey file '/letsencrypt/certs/mail.domain.com/privkey.pem'
40884 Initialized TLS
40884 required ciphers:
ALL:!EXPORT:!DES:!RC2:!RC4:!MD5:!PSK:!aNULL:!eNULL:!EXP:!SRP:!DSS:!DHE:!3DES
40884 host in tls_verify_hosts? no (option unset)
40884 host in tls_try_verify_hosts? no (end of list)
40884 SMTP>> 220 TLS go ahead
40884 Calling SSL_accept
40884 SSL_accept: before/accept initialization
40884 SSL3 alert write:fatal:handshake failure
40884 SSL_accept: error in error
40884 SSL_accept: error in error
40884 TLS error '(SSL_accept): error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher'
40884 LOG: MAIN
40884 TLS error on connection from mail.externaldomain.com [1.2.3.4]
I=[192.168.1.3]:25 (SSL_accept): error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher
40884 TLS failed to start
40884 LOG: smtp_connection MAIN
40884 SMTP connection from mail.externaldomain.com [1.2.3.4]
I=[192.168.1.3]:25 closed by EOF
wireshark dump from client hello
Cipher Suites Length: 24
Cipher Suites (12 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
(0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
(0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 51
Extension: supported_groups (len=4)
Type: supported_groups (10)
Length: 4
Supported Groups List Length: 2
Supported Groups (1 group)
Supported Group: secp256r1 (0x0017)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=20)
Type: signature_algorithms (13)
Length: 20
Signature Hash Algorithms Length: 18
Signature Hash Algorithms (9 algorithms)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ecdsa_sha1 (0x0203)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: SHA1 DSA (0x0202)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Extension: session_ticket (len=0)
Type: session_ticket (35)
Length: 0
Data (0 bytes)
Extension: extended_master_secret (len=0)
Type: extended_master_secret (23)
Length: 0
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
--
Marcin Gryszkalis, PGP 0xA5DBEEC7
http://fork.pl/gpg.txt