Re: [exim] TLS error no shared cipher with SSL_accept: error…

Inizio della pagina
Delete this message
Reply to this message
Autore: Marcin Gryszkalis
Data:  
To: exim-users
Oggetto: Re: [exim] TLS error no shared cipher with SSL_accept: error in error
On 31.05.2021 14:42, Cyborg via Exim-users wrote:
> The client did not offer a cipher you have allowed.


But it's not true (see details in my reponse to Viktor's mail).

> You can do various tests to find out with openssl's s_client:


with s_client I always succeed - eg. when I use first cipher from Client
Hello

openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher
ECDHE-ECDSA-AES256-GCM-SHA384

SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
     Session-ID: ...
     Session-ID-ctx:
     Master-Key: ...
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1622470949
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)



But - I tried to specify the curve and it failed

openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher
ECDHE-ECDSA-AES256-GCM-SHA384 -curves prime256v1

CONNECTED(00000004)
34380884168:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:/usr/src/crypto/openssl/ssl/s3_pkt.c:1498:SSL alert
number 40
34380884168:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:/usr/src/crypto/openssl/ssl/s3_pkt.c:659:

prime256v1 = secp256r1

I checked on exim built on FreeBSD 12 (with openssl 1.1) and it works
fine - but fails on other installation with openssl 1.0.

It's a bit strange as exim advertises this curve when connecting as smtp
client - and list_curves also lists is:

openssl ecparam -list_curves | grep 256v1
prime256v1: X9.62/SECG curve over a 256 bit prime field


--
Marcin Gryszkalis, PGP 0xA5DBEEC7 http://fork.pl/gpg.txt