Re: [exim] TLS error no shared cipher with SSL_accept: error…

Góra strony
Delete this message
Reply to this message
Autor: Marcin Gryszkalis
Data:  
Dla: exim-users
Temat: Re: [exim] TLS error no shared cipher with SSL_accept: error in error
On 31.05.2021 23:29, Viktor Dukhovni via Exim-users wrote:
> I see, the version of OpenSSL may be relevant here.
>
> Is the server in question "mail.fuze.pl"? On port 25 for that server I


This is not the server but It uses the same configuration and same
FreeBSD/openssl version - but as I tested it with s_client it didn't fail!

openssl s_client -connect mail.fuze.pl:465 -tls1_2 -curves P-256

Server Temp Key: ECDH, P-256, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

so I checked what is the difference between these two boxes - and
finally found it - problematic exim uses EC certificate, while
mail.fuze.pl uses (as you could see) RSA. The change was caused by
switch of defaults in deydrated Let's Encrypt client:

https://github.com/dehydrated-io/dehydrated/commit/174616becd96c202e3ff6dc0f28b3b435644f623

The EC cert is secp384r1 / P-384 so forcing P-256 only causes the alert.
In fact, testing with s_client and -curves P-256:P-384 is successful.

Server Temp Key: ECDH, P-256, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 384 bit

So I think I'll switch back to RSA for few more years ;)

thank you all for helping to debug this stuff, best regards
--
Marcin Gryszkalis, PGP 0xA5DBEEC7 http://fork.pl/gpg.txt