Got ssl3_get_client_hello:no shared cipher from server with TLS1.2 support??

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
14,149
Location
Maastricht
So I needed to get some mails from the a government site which is the RDW or rdw.nl domain, but I didn't get them.

Checking my mail logs gave me this issue:
Code: 
2022-09-07 16:38:19 TLS error on connection from mail1.diensten.rdw.nl [91.213.37.30] (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
Our server does support TLS 1.2 and as far as I could see, also the server of rdw.nl does support TLS 1.2 so I don't know why I got this error.

Ciphers seems fine on my side:
Code: 
 nmap --script ssl-enum-ciphers -p 465 95.216.69.68

Starting Nmap 6.40 ( http://nmap.org ) at 2022-09-07 18:20 CEST
Nmap scan report for serverxx.company.nl (95.xxx.xxx.xxx)
Host is up (0.000032s latency).
PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

And also:
Code: 
@root# grep tls_dh_max_bits /etc/exim*
/etc/exim.variables.conf:tls_dh_max_bits = 4096
so that all looks fine.

Exim version 4.96 #2 built 05-Jul-2022 03:17:51
Centos 7.9.

Then my fallback MX tried and I got loads of these:
Code: 
2022-09-07 17:01:35 H=fallbackmail.somedomain.nl [185.xxx.xx.xx] incomplete transaction (RSET) from <[email protected]> for [email protected]
2022-09-07 17:01:35 185.xxx.xx.xx whitelisted in local domains whitelist

Eventually I did get the mail via the same fallback mail.
Code: 
2022-09-07 18:01:34 185.104.28.9 whitelisted in local hosts IP whitelist
2022-09-07 18:01:34 1oVxUc-0007pb-1H <= [email protected] H=fallbackmail.somedomain.nl [185.xxx.xx.xx] P=esmtp S=10030 DKIM=rdw.nl [email protected] T="Aanvraag ontvangen en in behandeling" from <[email protected]> for [email protected]
2022-09-07 18:01:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1oVxUc-0007pb-1H

So I'm very confused now and have the following questions.
1.) Why is the mail from the government RDW.nl refused for missing SSL ciphers while we both use have TLS 1.2 available?
2.) Why did I get so many (also double bounce notices) from my fallback mailserver, while on the end, the fallback mailserver delivered anyway.

How is this possible and how do I fix this?
 
I have tried to test mail1.diensten.rdw.nl ssl error but cant connect at all !
[000.000]Trying TLS on mail1.diensten.rdw.nl[91.213.37.30:25] (-1)
[030.031]Cannot contact server (reason: Connection timed out)
 
Yes it's odd. It's not listed as any MX either. It does have PTR record.
So it looks as if it's a mistake on their side then.

I just doublechecked, the proper SSL certificates were for rdw.nl not for the mail1.dienten.rdw.nl part.

Still... this does not explain the double bounces from my fallback mailserver like this:
Code: 
2022-09-07 17:01:50 185.xxx.xx.xx whitelisted in local domains whitelist
2022-09-07 17:01:50 H=fallbackmail.somedomain [185.xxx.xx.xx] incomplete transaction (RSET) from <[email protected]> for [email protected]
2022-09-07 17:01:50 185.xxx.xx.xx whitelisted in local domains whitelist
2022-09-07 17:01:50 H=fallbackmail.somedomain [185.xxx.xx.xx] incomplete transaction (RSET) from <[email protected]> for [email protected]
2022-09-07 17:01:50 185.xxx.xx.xx whitelisted in local domains whitelist
2022-09-07 17:01:50 H=fallbackmail.somedomain [185.xxx.xx.xx] incomplete transaction (RSET) from <[email protected]> for [email protected]
2022-09-07 17:01:50 185.xxx.xx.xx whitelisted in local domains whitelist
2022-09-07 17:01:50 H=fallbackmail.somedomain [185.xxx.xx.xx] incomplete transaction (RSET) from <[email protected]> for [email protected]
2022-09-07 17:01:50 185.xxx.xx.xx whitelisted in local domains whitelist
2022-09-07 17:01:50 H=fallbackmail.somedomain [185.xxx.xx.xx] incomplete transaction (RSET) from <[email protected]> for [email protected]
Odd those resets, isn't it?

And then it's paused because of too many tries. Then again such list and suddenly it arrived.
 
I have the same problem after updating exim. I tried to downgrade but it didn't help. Did you fix it?
 
No, I just wrote a mail to the RDW that they should update their mailservers and ciphers.
Because normally I only have these log entry's with outdated and spamming servers. So if they can't connect I don't care.
Other servers like the tax office (belastingdienst en ook gemeente) don't have any issues connecting.

If you want peoplel to be able to connect via TLS 1.1 then an option needs to be changed. But TLS 1.1. is EOL so I won't do that.
 
Unfortunately, the internet is full of such out-of-date servers. I have a lot of undelivered messages for this reason :(
 
Well... you can have a look in the logs as to where it's coming from. In my case if there are more on the servers, it's mostly spammers.
Our customers do not complaint about certain mail not being received and I don't see any valid company's in the logs with those errors.

There are some home resided MTA's, so little company's running their mailserver from home or vps, but well... if they want to play mail provider, they should have their things up to date. This happens rather rarely.

It's a default now and probably most of us are not using TLS 1.0 and/or 1.1 anymore. However if you want to revert to EOL stuff, try this.

CustomBuild: ssl_configuration=intermediate setting will now also drop TLS 1.1 and older for exim and dovecot

If you're running a box with OpenSSL 1.0.2 or higher, any rebuilds of the exim.conf or dovecot.conf will include options to disable TLS 1.1. TLSv1.1 is EOL as of March 31, 2020. Windows 7 support ended on January 14, 2020. This is with CustmoBuild 2, rev 2404 and up: "./build version" If you...
forum.directadmin.com forum.directadmin.com
 
I've been using these settings for a long time. On servers with the previous version of exim everything worked fine, messages were not rejected. The problem showed up after the upgrade, I tried to downgrade and even copy files (binary and configuration) from another server (where everything works fine) but nothing helps. Drama.
 
You also adjusted the chiper settings for exim in a custom file?
If yes then I don't know. You might need to open a new thread for it stating you can't get TLS 1.1 working anymore or open a support ticket with DA.
 
openssl_options = +no_sslv2 +no_sslv3
tls_require_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
Click to expand...
This is my exim.variables.conf.custom (then ./build exim_conf).
Unfortunately, my licenses do not include support ...

My logs are full of:
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
and
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
Click to expand...
 
Might be the host does not have the correct ciphers, had that issue with a printer sending mail before.

Issue this command in SSH:
nmap --script ssl-enum-ciphers -p 465 localhost
see which ciphers are present. Should not be only ECDHE.
 
Starting Nmap 6.40 ( http://nmap.org ) at 2022-09-13 14:54 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000032s latency).
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0: No supported ciphers found
| TLSv1.1: No supported ciphers found
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
Click to expand...
 
Yep, was afraid of that. This will give issues, had this myself too.

Create a new record for your hostname like this (replace with your own hostname) and then check again.

Code: 
cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single your.hostname.com 4096
after that, check ciphers again.
 
Starting Nmap 6.40 ( http://nmap.org ) at 2022-09-13 15:00 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000033s latency).
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0: No supported ciphers found
| TLSv1.1: No supported ciphers found
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
Click to expand...
Looks better?
 
Yes, looks better. But still no TLS 1.1 cipers.
Probably you need to set the ssl configuration to old, or did you already have that?
 
You must log in or register to reply here.
Back
Top