Re: [exim] TLS error no shared cipher with SSL_accept: error…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Evgeniy Berdnikov
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] TLS error no shared cipher with SSL_accept: error in error
On Mon, May 31, 2021 at 04:42:55PM +0200, Marcin Gryszkalis via Exim-users wrote:
> openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher
> ECDHE-ECDSA-AES256-GCM-SHA384
>
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
>     Session-ID: ...
>     Session-ID-ctx:
>     Master-Key: ...
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1622470949
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)

>
>
> But - I tried to specify the curve and it failed
>
> openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher
> ECDHE-ECDSA-AES256-GCM-SHA384 -curves prime256v1


My quick experiments on openssl/libssl 1.1.1k
with s_server <--> s_client show that combination
"s_client ... -tls1_2 -cipher ECDHE-ECDSA-AES256-GCM-SHA384"
always leads to such SSL alert number 40, even if server is running
with "-cipher ALL".

Running "s_server ... -tls1_2" leads to similar result.

It looks like recent libssl considers ECDHE-ECDSA-AES256-GCM-SHA384
as TLSv1.3-only cipher. And post-handshake message mentions it
in some other manner:

SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: ...
    Session-ID-ctx: 
    Resumption PSK: ...
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)


It seems this behaviour reflects some unstable internals of libssl
and has no relation to Exim.
--
Eugene Berdnikov