TLS problem after upgrading from v2.2 to v2.3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS problem after upgrading from v2.2 to v2.3

Jan Vejvalka
Hi *,

The change in default SSL settings between 2.2 and 2.3 cut off a few
clients; Microsoft-hosted Exchange (?) being one of them:

Jan  4 11:02:56 kremail dovecot: pop3-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=40.101.4.hisip, lip=myip, TLS
handshaking: SSL_accept() failed: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<8SGob/BhTdcoZQS1>

Explicitly setting ssl_cipher_list to the old defaults helped:
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

Does someone have an idea what to recommend to the poor user or should
I accept that I stay with the old defaults ? The guy is cooperative, so
we can find out which of the !'s in the new defaults actually breaks the
connection... if you think it's worth.

Thanks for your help,

Jan
Reply | Threaded
Open this post in threaded view
|

Re: TLS problem after upgrading from v2.2 to v2.3

Goetz Schultz
Hi,

what are your settings?

Mine are below and they work just fine:

ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SS
Lv2:!SSLv3


Thanks and regards

  Goetz R. Schultz

On 04/01/18 18:56, Jan Vejvalka wrote:

> Hi *,
>
> The change in default SSL settings between 2.2 and 2.3 cut off a few
> clients; Microsoft-hosted Exchange (?) being one of them:
>
> JanĀ  4 11:02:56 kremail dovecot: pop3-login: Disconnected (no auth
> attempts in 0 secs): user=<>, rip=40.101.4.hisip, lip=myip, TLS
> handshaking: SSL_accept() failed: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<8SGob/BhTdcoZQS1>
>
> Explicitly setting ssl_cipher_list to the old defaults helped:
> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
>
> Does someone have an idea what to recommend to the poor user or should
> I accept that I stay with the old defaults ? The guy is cooperative, so
> we can find out which of the !'s in the new defaults actually breaks the
> connection... if you think it's worth.
>
> Thanks for your help,
>
> Jan
>


signature.asc (853 bytes) Download Attachment