Re: [exim] TLS error no shared cipher with SSL_accept: error…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Viktor Dukhovni
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] TLS error no shared cipher with SSL_accept: error in error
On Mon, May 31, 2021 at 11:08:22PM +0300, Evgeniy Berdnikov via Exim-users wrote:

> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
> >     Session-ID: ...
> >     Session-ID-ctx:
> >     Master-Key: ...
> >     Key-Arg   : None
> >     PSK identity: None
> >     PSK identity hint: None
> >     SRP username: None
> >     Start Time: 1622470949
> >     Timeout   : 7200 (sec)
> >     Verify return code: 0 (ok)

> >
> >
> > But - I tried to specify the curve and it failed
> >
> > openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher
> > ECDHE-ECDSA-AES256-GCM-SHA384 -curves prime256v1


This cipher requires the server to have an ECDSA certificate,
you've probably only configured an RSA certificate. The
support SHA384 ciphers in OpenSSL 1.1.1 are:

    $ OpenSSL_1_1_1/bin/openssl ciphers -s -tls1_2 -v ALL+SHA384
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
    ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384


> It looks like recent libssl considers ECDHE-ECDSA-AES256-GCM-SHA384
> as TLSv1.3-only cipher. And post-handshake message mentions it
> in some other manner:


That's not the case.

-- 
    Viktor.