Re: [exim] TLS error no shared cipher with SSL_accept: error…

Góra strony
Delete this message
Reply to this message
Autor: Marcin Gryszkalis
Data:  
Dla: exim-users
Temat: Re: [exim] TLS error no shared cipher with SSL_accept: error in error
On 31.05.2021 14:27, Viktor Dukhovni via Exim-users wrote:
> On Mon, May 31, 2021 at 01:44:39PM +0200, Marcin Gryszkalis via Exim-users wrote:
>> exim's cipher list is wide
>> ALL:!EXPORT:!DES:!RC2:!RC4:!MD5:!PSK:!aNULL:!eNULL:!EXP:!SRP:!DSS:!DHE:!3DES
>
> What is the reason for disabling DHE ciphers?


So there's no need to remember to prepare proper dh params, not
important anyway I guess.

> This cipher list looks rather kludgey. Try "DEFAULT".


This problem applies to one server only, any other can connect without
problems. I left TLS1.0 and 1.1 because they are still used. Here are
the stats from exim log:

    2 TLS1.2:AES128-GCM-SHA256:128
    3 TLS1.2:AES256-SHA:256
   12 TLS1.2:AES256-GCM-SHA384:256
   15 TLS1.1:ECDHE-ECDSA-AES256-SHA:256
   18 TLS1.2:ECDHE-RSA-AES256-SHA:256
   43 TLS1.1:ECDHE-RSA-AES256-SHA:256
   54 TLS1.2:ECDHE-ECDSA-AES256-SHA384:256
  149 TLS1:AES256-SHA:256
  156 TLS1.2:DHE-RSA-AES256-GCM-SHA384:256
  307 TLS1:DHE-RSA-AES256-SHA:256
  313 TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128
  384 TLS1:ECDHE-ECDSA-AES256-SHA:256
  672 TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128
1214 TLS1:ECDHE-RSA-AES256-SHA:256
1467 TLS1.2:ECDHE-RSA-AES256-SHA384:256
3192 TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256
15980 TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256


As you can see this list have common part with the list from Client
Hello, eg. first one - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
is on the list ( 672 TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 )

The curve proposed by client (secp256r1) is also supported.

>> 40884 openssl option, adding to     03104000: 02000000 (no_sslv3 +no_sslv2 +cipher_server_preference)
>> 40884 openssl option, adding to     03104000: 01000000 (no_sslv2 +cipher_server_preference)
>> 40884 openssl option, adding to     03104000: 00400000 (cipher_server_preference)
>> 40884 setting SSL CTX options: 0x3504000
>> 40884 Diffie-Hellman initialized from default with 2048-bit prime
>> 40884 ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection
>> 40884 tls_certificate file '/letsencrypt/certs/mail.domain.com/fullchain.pem'
>> 40884 tls_privatekey file  '/letsencrypt/certs/mail.domain.com/privkey.pem'
>> 40884 Initialized TLS
>> 40884 required ciphers: ALL:!EXPORT:!DES:!RC2:!RC4:!MD5:!PSK:!aNULL:!eNULL:!EXP:!SRP:!DSS:!DHE:!3DES
>> 40884 host in tls_verify_hosts? no (option unset)
>> 40884 host in tls_try_verify_hosts? no (end of list)
>> 40884 SMTP>> 220 TLS go ahead
>> 40884 Calling SSL_accept
>> 40884 SSL_accept: before/accept initialization
>> 40884 SSL3 alert write:fatal:handshake failure

>
> That rather looks like your own server is initiating the handshake
> failure. It is writing the alert, not reading a remote alert.


I think it says that exim returned handshake error (it did).

>> 40884 SSL_accept: error in error
>> 40884 SSL_accept: error in error
> I haven't seen that one much. Perhaps an issue in the Exim OpenSSL glue
> code.


could be

> The server does not believe it has any shared ciphers available. You
> should also check the system-wide "openssl.cnf" file for any vendor
> configured protocol or cipher restrictions.


it's default FreeBSD's openssl.cnf without any modifications

>> wireshark dump from client hello
> This does not look like the entire client hello message.


I did some cleaning, here is missing prefix:
Transport Layer Security
     TLSv1.2 Record Layer: Handshake Protocol: Client Hello
         Content Type: Handshake (22)
         Version: TLS 1.2 (0x0303)
         Length: 120
         Handshake Protocol: Client Hello
             Handshake Type: Client Hello (1)
             Length: 116
             Version: TLS 1.2 (0x0303)
             Random: 60b49...
                 GMT Unix Time: May 31, 2021 10:07:16.000000000 CEST
                 Random Bytes: f233...
             Session ID Length: 0


>>               Cipher Suites Length: 24
>>               Cipher Suites (12 suites)
>>                   Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
>>                   Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>>                   Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
>>                   Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>>                   Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>>                   Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
>>                   Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
>>                   Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
>>                   Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>>                   Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
>>                   Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>>                   Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
>>               Compression Methods Length: 1
>>               Compression Methods (1 method)
>>                   Compression Method: null (0)
>>               Extensions Length: 51
>>               Extension: supported_groups (len=4)
>>                   Type: supported_groups (10)
>>                   Length: 4
>>                   Supported Groups List Length: 2
>>                   Supported Groups (1 group)
>>                       Supported Group: secp256r1 (0x0017)
>>               Extension: ec_point_formats (len=2)
>>                   Type: ec_point_formats (11)
>>                   Length: 2
>>                   EC point formats Length: 1
>>                   Elliptic curves point formats (1)
>>                       EC point format: uncompressed (0)
>>               Extension: signature_algorithms (len=20)
>>                   Type: signature_algorithms (13)
>>                   Length: 20
>>                   Signature Hash Algorithms Length: 18
>>                   Signature Hash Algorithms (9 algorithms)
>>                       Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>>                           Signature Hash Algorithm Hash: SHA256 (4)
>>                           Signature Hash Algorithm Signature: RSA (1)
>>                       Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>>                           Signature Hash Algorithm Hash: SHA384 (5)
>>                           Signature Hash Algorithm Signature: RSA (1)
>>                       Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>>                           Signature Hash Algorithm Hash: SHA1 (2)
>>                           Signature Hash Algorithm Signature: RSA (1)
>>                       Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
>>                           Signature Hash Algorithm Hash: SHA256 (4)
>>                           Signature Hash Algorithm Signature: ECDSA (3)
>>                       Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
>>                           Signature Hash Algorithm Hash: SHA384 (5)
>>                           Signature Hash Algorithm Signature: ECDSA (3)
>>                       Signature Algorithm: ecdsa_sha1 (0x0203)
>>                           Signature Hash Algorithm Hash: SHA1 (2)
>>                           Signature Hash Algorithm Signature: ECDSA (3)
>>                       Signature Algorithm: SHA1 DSA (0x0202)
>>                           Signature Hash Algorithm Hash: SHA1 (2)
>>                           Signature Hash Algorithm Signature: DSA (2)
>>                       Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>>                           Signature Hash Algorithm Hash: SHA512 (6)
>>                           Signature Hash Algorithm Signature: RSA (1)
>>                       Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
>>                           Signature Hash Algorithm Hash: SHA512 (6)
>>                           Signature Hash Algorithm Signature: ECDSA (3)
>>               Extension: session_ticket (len=0)
>>                   Type: session_ticket (35)
>>                   Length: 0
>>                   Data (0 bytes)
>>               Extension: extended_master_secret (len=0)
>>                   Type: extended_master_secret (23)
>>                   Length: 0
>>               Extension: renegotiation_info (len=1)
>>                   Type: renegotiation_info (65281)
>>                   Length: 1
>>                   Renegotiation Info extension
>>                       Renegotiation info extension length: 0

>



> And where's the server's reply (HELLO or alert?)?


it's next packet:

Transport Layer Security
     TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake 
Failure)
         Content Type: Alert (21)
         Version: TLS 1.2 (0x0303)
         Length: 2
         Alert Message
             Level: Fatal (2)
             Description: Handshake Failure (40)



--
Marcin Gryszkalis, PGP 0xA5DBEEC7 http://fork.pl/gpg.txt