exim issue diffie hellman

Yes well. You are correct there, but that is not my task, I wouldn't even know where to begin.
This all started after updating Directadmin to the latest version, so it must be somewhere in there and DA support is way better in knowing what changed in Directadmin.

Intermediate should be the default setting for Directadmin if there is nothing set in directadmin.conf.

It shouldn't be necessary to create a ticket for this. However I'm not really happy with forum support lately. I don't know if they are still very busy with other things.
 
Can you take diff's from the exim configs between the current one and the one that worked fine from backup?
Maybe this tells you what's changed.
 
Maybe this is the cause here to a change in LE or so?

TLS handshake error for API calls

I'm about to go crazy over this error that has surfaced recently, possibly after an update of something. I have an ansible playbook that does calls to the DA API, but it is failing on only *some* of my servers with the following error: Status code was -1 and not [200]: Request failed: When...
forum.directadmin.com forum.directadmin.com

But then have to know which and how CERTS are used and how to change such changed defaults while is no WIKI / HELP topic about?? ( i could be wrong then sorry)
 
UH richard this update and you use maildomain sni

perhaps use the bugfix script?

Version 1.62.3 | Directadmin Docs

DirectAdmin Knowledge Base
www.directadmin.com

Bugfix

Finished



Domains using the automatic SSL Certificate tool did not get a dovecot SNI entry during the task.queue The task.queue call: echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue will now ONLY rewrite the /etc/dovecot/conf/sni/* files. It previously did a rewrite on the /etc/virtual/snidomains file: no more. Please use: echo "action=rewrite&value=snidomains" >> /usr/local/directadmin/data/task.queue to rewrite the /etc/virtual/snidomains file. --- T33777
Click to expand...
 
@Driesp I don't have a backup of updatse unless DA creates them. As far as I know I didn't do any exim update the week before last week (in the meantime), however not 100% sure anymore. There was one last week but then the issues already were taking place.

@ikkeben I ran that command, but still the same.
Code: 
nmap --script ssl-enum-ciphers -p 465 95.xxx.xxx.xxx
PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
so the other cipers still not present. I should already have the bugfix you are pointing to I should already have since I have the newest DA version.

Really seems a DA bug so I hope they have a look at this thread soon.
 
I think you maybe have to run again after that a Letsencrypt with the right settings again but can't find out yes or no and what config settings for that.

That is why i asked for some "newer" howto's here

CERTS and LETSENCRYPT revoke manual renew / change howto docs info

https://help.directadmin.com/item.php?id=2084 How to revoke LetsEncrypt hostname certificate But is with a manual renew / NEW not a revoke from a already generated LE old cert at the same time? So with this script if done again while something not working very wel is a revoke from old ...
forum.directadmin.com forum.directadmin.com


Problem with SSL on Hostname and DA and HSTS with other aplications on other ports!

Problem with SSL on Hostname and DA and HSTS with other aplications on other ports! If you have DA redir to sl, a ssl LEcert on hostname and HSTS. Then if you also managed in this combi to have port 443 done the right way? hostname is not domain. so "vps.exampledomain.com" There you have...
forum.directadmin.com forum.directadmin.com

exim issue diffie hellman

Yes well. You are correct there, but that is not my task, I wouldn't even know where to begin. This all started after updating Directadmin to the latest version, so it must be somewhere in there and DA support is way better in knowing what changed in Directadmin. Intermediate should be the...
forum.directadmin.com forum.directadmin.com

TLS handshake error for API calls

I'm about to go crazy over this error that has surfaced recently, possibly after an update of something. I have an ansible playbook that does calls to the DA API, but it is failing on only *some* of my servers with the following error: Status code was -1 and not [200]: Request failed: When...
forum.directadmin.com forum.directadmin.com


But then have to know which and how CERTS are used and how to change such changed defaults while is no WIKI / HELP topic about?? ( i could be wrong then sorry)

But then how do choose the settings for this in generating the LE for hostname if didn't find that in the HELP and docs only bit size ( not celar if you can put there 2048, 4096, or also ec-384? or that i had before 3072 while is not in dropdown in GUI DA. So if defaults are changed then while you did have own value before is ????

Or the CERT TYPE there ?
Click to expand...
 
Hi Guys,

I've checked the custombuild git log, and the build script was updated to add the tls_dhparam value to the /etc/exim.variables.conf on Dec 5th, 2020, so this is not recent, but a rewrite in January would have been affected by this setting.

You can try rebuilding the /etc/exim_dh.pem file by just deleting it, and re-installing the exim.conf with: ./build exim_conf

If you need to disable it entirely (not recommended), you can set it to tls_dhparam=none
in your /etc/exim.variables.conf.custom and future ./build exim_conf would set it to "none".


The variable might support:
tls_dhparam=historic

which might be the default when unset, so you could also set that in the exim.variables.conf.custom, and if it's present in exim.variables.conf, DA won't add the tls_dhparam at all, allowing the use of "historic" (or "none").

Not sure if that will help or how the varouis different dh_param files affect the ciphers.. but trying "historic" might be what you're after if you want the default unset state.

John
 
I don't know about december last year, but smtalk fixed this in februari this year, see post #4:
Fixed in CB 2.0 rev. 2662. Thank you for the report.
Click to expand...
which added the tls_dh_max_bits = 4096 to the exim.variables.conf by default.

I encountered this issue only since februari 2021 or end of january after an exim or exim.conf update:

Solved - Did exim.conf 4.5.35 create SSL issue or changed ciphers?

I did not see an entry in the changelog for exim.conf 4.5.35. I updated to 4.5.35 (from 4.5.30 if I'm not mistaken) in the night of februari 1 to februari 2nd. I've seen more was updated, because amongst others also dkim.conf was updated. Now a customer of mine had an internet outage on the 2nd...
forum.directadmin.com forum.directadmin.com

After the fix from smtalk in februari, both the missing cipers mentioned were present again until two weeks ago. Maybe now it was not a DA update but letsencrypt or something. I only updated the system, did not change anything myself.

I just tried deleting the exim_dh.pem and rebuilding exim.conf which did not fix the issue.

When adding tls_dhparm=historic in /etc/exim.variables.conf.custom and rebuild exim.conf then no cipher at all will appear, not even the modern ones.

When using the tls_dhparam=none setting, it just goes back to what it was before I made any change. So this setting does not change anything.

So the missing ciphers below keep missing while they were working until last week... well now 2 weeks ago. :)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 
Last edited:
DirectAdmin Support said:
Hi Guys,

I've checked the custombuild git log, and the build script was updated to add the tls_dhparam value to the /etc/exim.variables.conf on Dec 5th, 2020, so this is not recent, but a rewrite in January would have been affected by this setting.

You can try rebuilding the /etc/exim_dh.pem file by just deleting it, and re-installing the exim.conf with: ./build exim_conf

If you need to disable it entirely (not recommended), you can set it to tls_dhparam=none
in your /etc/exim.variables.conf.custom and future ./build exim_conf would set it to "none".


The variable might support:
tls_dhparam=historic

which might be the default when unset, so you could also set that in the exim.variables.conf.custom, and if it's present in exim.variables.conf, DA won't add the tls_dhparam at all, allowing the use of "historic" (or "none").

Not sure if that will help or how the varouis different dh_param files affect the ciphers.. but trying "historic" might be what you're after if you want the default unset state.

John
Click to expand...
TIP YUP to look into Letsencrypt script and the possible settings changes there, for sofar i expect because of that there where kind of rewrites / changes possible, while i didn't understand i have to do part twice to get things working without the DH on a fresh install, but with working LE, before ony once ( manaul scripts and rewrites customuild... ) not working LE on Domain.

So if after a kind of change because of LE script ( Where if you have manual 3072 ... on hostname before for example what to do? )

Such settings rewrites for domain takes place ofcourse with yes no automatic renews yes or no?

There was a dovecot "bug" update problem with it or so??? So same if dovecot update then maybe after that a kind of rewrite settings came.

Problem with certs ciphers and settings are you only see problems after renew/rewrite in combination when someone ring a bell he not working anymore. Hard to find the first real CAUSE then afterwards.
 
A s you told me Hostname cert date is 8 Juli that is sofar i know the cert used for exim to!?
So if problem is after that date starting with that date then yes it was after a letsencrypt renew.

And yes sofar i know there where also several changes in Letsencrypt'from DA, but can't find a DIFF file / information , lot of checks on which keys and keysize are in it, if it was one that is not in it then it does a kind of default i guess with renew.
 
I didn't try on a fresh CentOS 8 install, but I've checked with this command to 127.0.0.1 on an older internal test box, and no matter what I do, before and after a full yum update, exim rebuild, /etc/exim_dh.pem deletion + auto download, or manual rebuild with `/usr/bin/openssl dhparam -out /etc/exim_dh.pem 4096`, I always get the same result:
Code: 
[root@es8-64-personal custombuild]# nmap --script ssl-enum-ciphers -p 465 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-07-20 21:24 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).

PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
So the configs and any combination of the /etc/exim_dh.pem file does not seem to affect it for me. It does indicate that these settings "can be correct" for whatever combination of things I've got here.

The old openssl version was:
OpenSSL 1.1.1c FIPS 28 May 2019

and the latest version:
OpenSSL 1.1.1g FIPS 21 Apr 2020

but neither had any effect... it always included TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 in the output.

To expand on the previous reply, the tls_dhparam value also support "none" and "default". If removing the tls_dhparam variable solves it, then perhaps adding tls_dhparam=default to the /etc/exim.variables.conf.custom and rewriting the exim.conf may have an effect. I believe that uses the internal dh primes (or something like that).

This internal box does not get any LetsEncrypt updates, so I wasn't able to rule out a LetsEncrypt certificate update possibly being related.
I know a while back we went from a default of 4096-bit LE keys, to now defaulting to a EC-384 key. Related? I've not ruled it out (didn't test between the 2). The old box I'm on uses the older 4096-bit cert key (self-signed, I believe).

I'm going to bump the thread to Martynas in case he has any ideas.
Perhaps creating a ticket with root login may be useful to try and narrow it down.

John
 
DirectAdmin Support said:
I didn't try on a fresh CentOS 8 install, but I've checked with this command t

This internal box does not get any LetsEncrypt updates, so I wasn't able to rule out a LetsEncrypt certificate update possibly being related.
I know a while back we went from a default of 4096-bit LE keys, to now defaulting to a EC-384 key. Related? I've not ruled it out (didn't test between the 2). The old box I'm on uses the older 4096-bit cert key (self-signed, I believe).


John
Click to expand...
No root login possible here , but at Richard you can ask him

The difference is at ours this on fresh centos8 install none Dh maby to now defaulting to a EC-384 key. Related? and older yes a default of 4096-bit LE keys.

While time window LE script update and some dates seem to overlap.
But sorry if i am wrong only reading and posting what i did see and think myself
 
If I run this command:
Code: 
/usr/bin/openssl dhparam -out /etc/exim_dh.pem 4096
the system is creating new keys so I've tested this to see if it makes any difference.

After creating the new exim_dh.pem and just to be sure rebuild exim.conf new this is the new result:

Code: 
Restarting exim.
[root@server23: /usr/local/directadmin/custombuild]# nmap --script ssl-enum-ciphers -p 465 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2021-07-21 13:43 CEST
Nmap scan report for localhost.localdomain (127.0.0.1)
Host is up (0.000045s latency).
PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong

So still not all ciphers.

I checked the openssl versions on the servers.
On the Centos 7 servers it's OpenSSL 1.0.2k-fips 26 Jan 2017.
On the Centos 8 server it's OpenSSL 1.1.1g FIPS 21 Apr 2020
The Centos 8 server has 1 cipher more.

So I have no clue, maybe smtalk can see what's causing the missing ciphers.
 
We have the exact same issue. Engineer from Oxilion thinks this is indeed a bug in DA/CB.

A fix is appriciated!
 
This is very odd. I send in a ticket for this, but can't find that ticket anymore.
I send in a ticket again today.
 
No, I think some kind of issue with the ticket system. I didn't get a confirmation per email of the ticket. Same happened last year to me. I think it depends on which way you enter the ticket system. I did see a ticket number though both times (last year and now).

The new ticket went in fine and I also got the confirmation email of it, so it's fine now, I doublechecked the ticket that it's present.
 
mgeerarts said:
We have the exact same issue. Engineer from Oxilion thinks this is indeed a bug in DA/CB.
Click to expand...
If I understand correctly it has to do with the difference between RSA and EC certificates. I don't know how, but for some reason suddenly only EC certificates are used on the server.
We are still busy in the ticket trying to solve this.
 
Only posting this don't know about yes no cause but if though and someone didn't see this one then...

;) Starting May 4, 2021
Lets encrypt themselves has also some update newer (root) certs and other standards in base, there could be problems with compatible afterwards in combi with older browsers and older openssl versions, for the newer there was a post warning somewhere from Letsencrypt self but did find this now

letsencrypt.org

DST Root CA X3 Expiration (September 2021)

Update Feb 05, 2024 It’s been two years, and the Android compatibility cross-sign mentioned below is close to expiring. See our recent blog post for a detailed explanation of the changes coming over the course of 2024. Update September 30, 2021 As planned, the DST Root CA X3 cross-sign has...
letsencrypt.org

community.letsencrypt.org

Production Chain Changes

Many of you have asked for a more simple way to understand the chain changes coming up. We hope this helps and can be a thread we update consistently when more information is available. Always scroll down for the latest posts/information! And note that "end-entity certificate" is another way to...
community.letsencrypt.org community.letsencrypt.org

Many of you have asked for a more simple way to understand the chain changes coming up. We hope this helps and can be a thread we update consistently when more information is available. Always scroll down for the latest posts/information! And note that "end-entity certificate" is another way to say "leaf certificate” or “subscriber certificate”.

For certificates with RSA keys​

Through May 3, 2021
  • Default chain: End-entity certificate ← R3 ← DST Root CA X3
  • Alternate chain: End-entity certificate ← R3 ← ISRG Root X1
Starting May 4, 2021
  • Default chain: End-entity certificate ← R3 ← ISRG Root X1 ← DST Root CA X3
  • Alternate chain: End-entity certificate ← R3 ← ISRG Root X1
    • This is a shorter chain, available to people through the API who do not need the Android compatibility of the longer chain. You can choose this chain with many ACME clients, please see your chosen ACME client documentation for more information.
Click to expand...
 
Last edited:
You must log in or register to reply here.
Back
Top