Re: [exim] TLS error no shared cipher with SSL

Συντάκτης: Viktor Dukhovni
Ημερομηνία:
Προς: exim-users
Αντικείμενο: Re: [exim] TLS error no shared cipher with SSL_accept: error in error

On Mon, May 31, 2021 at 11:08:22PM +0300, Evgeniy Berdnikov via Exim-users wrote:

> > SSL-Session: > > Protocol : TLSv1.2 > > Cipher : ECDHE-ECDSA-AES256-GCM-SHA384 > > Session-ID: ... > > Session-ID-ctx: > > Master-Key: ... > > Key-Arg : None > > PSK identity: None > > PSK identity hint: None > > SRP username: None > > Start Time: 1622470949 > > Timeout : 7200 (sec) > > Verify return code: 0 (ok)

> >
> >
> > But - I tried to specify the curve and it failed
> >
> > openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher
> > ECDHE-ECDSA-AES256-GCM-SHA384 -curves prime256v1

This cipher requires the server to have an ECDSA certificate,
you've probably only configured an RSA certificate. The
support SHA384 ciphers in OpenSSL 1.1.1 are:

    $ OpenSSL_1_1_1/bin/openssl ciphers -s -tls1_2 -v ALL+SHA384
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
    ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384

> It looks like recent libssl considers ECDHE-ECDSA-AES256-GCM-SHA384
> as TLSv1.3-only cipher. And post-handshake message mentions it
> in some other manner:

That's not the case.

-- 
    Viktor.

Αυτό το μήνυμα είναι μέρος του ακόλουθου νήματος:
	το πλήρες δέντρο νημάτων ταξινομημένο κατά ημερομηνία
	Evgeniy Berdnikov στο
	Viktor Dukhovni στο

Re: [exim] TLS error no shared cipher with SSL_accept: error…