TLS error after update Exim to 4.93.0.4 from .0.3

RoRoo

Verified User
Joined
Dec 16, 2004
Messages
111
Hi All,

Last monday I've updated our servers Exim version from 4.93.0.3 to 4.93.0.4 and immediately after that the logs started filling with these kind of errors:
Code:
TLS error on connection from [x.x.x.x] (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
I've tried reverting, but the error remained.
I've reissued our let's encrypt server certificate, but the error remained.

After a lot of searching, I've found this page: https://help.directadmin.com/item.php?id=571
and changed the tls_require_ciphers from:
Code:
tls_require_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
to
Code:
tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
in the exim.variables.custom file that I needed to create (so no previous customization)
the errors were gone after the ./build eximconf

The clients that were generating these errors were using Apple mail and Outlook for Windows and some mailservers using our server as a relay host (with permission).

The problem is now fixed, but the differences annoy me. Is our server still secure? Or should I revert back and...... ?

It feels like a workaround.
 
Last edited:

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,897
Location
LT, EU

RoRoo

Verified User
Joined
Dec 16, 2004
Messages
111
tls1.1 is indeed being dropped on our servers. For a while now.. (this install is 72 days old)

But the ciphers seem to have changed recently causing Apple (iOS and MacOS) clients and newer windows clients to fail.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,517
Location
Maastricht
At this point I had a lot of those logs too, but not from customers, only from a single dynamic ip range trying to bruteforce.
 
Top