On 31.05.2021 14:27, Viktor Dukhovni via Exim-users wrote:
> On Mon, May 31, 2021 at 01:44:39PM +0200, Marcin Gryszkalis via Exim-users wrote:
>> exim's cipher list is wide
>> ALL:!EXPORT:!DES:!RC2:!RC4:!MD5:!PSK:!aNULL:!eNULL:!EXP:!SRP:!DSS:!DHE:!3DES
>
> What is the reason for disabling DHE ciphers?
So there's no need to remember to prepare proper dh params, not
important anyway I guess.
> This cipher list looks rather kludgey. Try "DEFAULT".
This problem applies to one server only, any other can connect without
problems. I left TLS1.0 and 1.1 because they are still used. Here are
the stats from exim log:
2 TLS1.2:AES128-GCM-SHA256:128
3 TLS1.2:AES256-SHA:256
12 TLS1.2:AES256-GCM-SHA384:256
15 TLS1.1:ECDHE-ECDSA-AES256-SHA:256
18 TLS1.2:ECDHE-RSA-AES256-SHA:256
43 TLS1.1:ECDHE-RSA-AES256-SHA:256
54 TLS1.2:ECDHE-ECDSA-AES256-SHA384:256
149 TLS1:AES256-SHA:256
156 TLS1.2:DHE-RSA-AES256-GCM-SHA384:256
307 TLS1:DHE-RSA-AES256-SHA:256
313 TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128
384 TLS1:ECDHE-ECDSA-AES256-SHA:256
672 TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128
1214 TLS1:ECDHE-RSA-AES256-SHA:256
1467 TLS1.2:ECDHE-RSA-AES256-SHA384:256
3192 TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256
15980 TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256
As you can see this list have common part with the list from Client
Hello, eg. first one - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
is on the list ( 672 TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 )
The curve proposed by client (secp256r1) is also supported.
>> 40884 openssl option, adding to 03104000: 02000000 (no_sslv3 +no_sslv2 +cipher_server_preference)
>> 40884 openssl option, adding to 03104000: 01000000 (no_sslv2 +cipher_server_preference)
>> 40884 openssl option, adding to 03104000: 00400000 (cipher_server_preference)
>> 40884 setting SSL CTX options: 0x3504000
>> 40884 Diffie-Hellman initialized from default with 2048-bit prime
>> 40884 ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection
>> 40884 tls_certificate file '/letsencrypt/certs/mail.domain.com/fullchain.pem'
>> 40884 tls_privatekey file '/letsencrypt/certs/mail.domain.com/privkey.pem'
>> 40884 Initialized TLS
>> 40884 required ciphers: ALL:!EXPORT:!DES:!RC2:!RC4:!MD5:!PSK:!aNULL:!eNULL:!EXP:!SRP:!DSS:!DHE:!3DES
>> 40884 host in tls_verify_hosts? no (option unset)
>> 40884 host in tls_try_verify_hosts? no (end of list)
>> 40884 SMTP>> 220 TLS go ahead
>> 40884 Calling SSL_accept
>> 40884 SSL_accept: before/accept initialization
>> 40884 SSL3 alert write:fatal:handshake failure
>
> That rather looks like your own server is initiating the handshake
> failure. It is writing the alert, not reading a remote alert.
I think it says that exim returned handshake error (it did).
>> 40884 SSL_accept: error in error
>> 40884 SSL_accept: error in error
> I haven't seen that one much. Perhaps an issue in the Exim OpenSSL glue
> code.
could be
> The server does not believe it has any shared ciphers available. You
> should also check the system-wide "openssl.cnf" file for any vendor
> configured protocol or cipher restrictions.
it's default FreeBSD's openssl.cnf without any modifications
>> wireshark dump from client hello
> This does not look like the entire client hello message.
I did some cleaning, here is missing prefix:
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 120
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 116
Version: TLS 1.2 (0x0303)
Random: 60b49...
GMT Unix Time: May 31, 2021 10:07:16.000000000 CEST
Random Bytes: f233...
Session ID Length: 0
>> Cipher Suites Length: 24
>> Cipher Suites (12 suites)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>> Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
>> Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
>> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
>> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
>> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
>> Compression Methods Length: 1
>> Compression Methods (1 method)
>> Compression Method: null (0)
>> Extensions Length: 51
>> Extension: supported_groups (len=4)
>> Type: supported_groups (10)
>> Length: 4
>> Supported Groups List Length: 2
>> Supported Groups (1 group)
>> Supported Group: secp256r1 (0x0017)
>> Extension: ec_point_formats (len=2)
>> Type: ec_point_formats (11)
>> Length: 2
>> EC point formats Length: 1
>> Elliptic curves point formats (1)
>> EC point format: uncompressed (0)
>> Extension: signature_algorithms (len=20)
>> Type: signature_algorithms (13)
>> Length: 20
>> Signature Hash Algorithms Length: 18
>> Signature Hash Algorithms (9 algorithms)
>> Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>> Signature Hash Algorithm Hash: SHA384 (5)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
>> Signature Hash Algorithm Hash: SHA256 (4)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
>> Signature Hash Algorithm Hash: SHA384 (5)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: ecdsa_sha1 (0x0203)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Signature Algorithm: SHA1 DSA (0x0202)
>> Signature Hash Algorithm Hash: SHA1 (2)
>> Signature Hash Algorithm Signature: DSA (2)
>> Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>> Signature Hash Algorithm Hash: SHA512 (6)
>> Signature Hash Algorithm Signature: RSA (1)
>> Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
>> Signature Hash Algorithm Hash: SHA512 (6)
>> Signature Hash Algorithm Signature: ECDSA (3)
>> Extension: session_ticket (len=0)
>> Type: session_ticket (35)
>> Length: 0
>> Data (0 bytes)
>> Extension: extended_master_secret (len=0)
>> Type: extended_master_secret (23)
>> Length: 0
>> Extension: renegotiation_info (len=1)
>> Type: renegotiation_info (65281)
>> Length: 1
>> Renegotiation Info extension
>> Renegotiation info extension length: 0
>
> And where's the server's reply (HELLO or alert?)?
it's next packet:
Transport Layer Security
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake
Failure)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
--
Marcin Gryszkalis, PGP 0xA5DBEEC7
http://fork.pl/gpg.txt
