TLS error after update Exim to 4.93.0.4 from .0.3

[RoRoo]

Hi All,

Last monday I've updated our servers Exim version from 4.93.0.3 to 4.93.0.4 and immediately after that the logs started filling with these kind of errors:

TLS error on connection from [x.x.x.x] (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

I've tried reverting, but the error remained.
I've reissued our let's encrypt server certificate, but the error remained.

After a lot of searching, I've found this page: https://help.directadmin.com/item.php?id=571
and changed the tls_require_ciphers from:

tls_require_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

to

tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

in the exim.variables.custom file that I needed to create (so no previous customization)
the errors were gone after the ./build eximconf

The clients that were generating these errors were using Apple mail and Outlook for Windows and some mailservers using our server as a relay host (with permission).

The problem is now fixed, but the differences annoy me. Is our server still secure? Or should I revert back and...... ?

It feels like a workaround.

 

[smtalk]

CustomBuild: ssl_configuration=intermediate setting will now also drop TLS 1.1 and older for exim and dovecot

If you're running a box with OpenSSL 1.0.2 or higher, any rebuilds of the exim.conf or dovecot.conf will include options to disable TLS 1.1. TLSv1.1 is EOL as of March 31, 2020. Windows 7 support ended on January 14, 2020. This is with CustmoBuild 2, rev 2404 and up: "./build version" If you...

forum.directadmin.com

 

[RoRoo]

CustomBuild: ssl_configuration=intermediate setting will now also drop TLS 1.1 and older for exim and dovecot

If you're running a box with OpenSSL 1.0.2 or higher, any rebuilds of the exim.conf or dovecot.conf will include options to disable TLS 1.1. TLSv1.1 is EOL as of March 31, 2020. Windows 7 support ended on January 14, 2020. This is with CustmoBuild 2, rev 2404 and up: "./build version" If you...

forum.directadmin.com

tls1.1 is indeed being dropped on our servers. For a while now.. (this install is 72 days old)

But the ciphers seem to have changed recently causing Apple (iOS and MacOS) clients and newer windows clients to fail.

 

[Richard G]

At this point I had a lot of those logs too, but not from customers, only from a single dynamic ip range trying to bruteforce.

 

[shanti]

the situation 2021 is even worse it seems .. many old, mostly windows-servers are still not lifecycled .. i see many goverment-related in austria offices affected ( cna.at , etc )

my actual config is:
exim.variables.conf.custom:

# POLARIX - https://help.poralix.com/articles/fixing-ssl-routines-error-ssl23-unknown-protocol-exim
tls_require_ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA:!DSS

openssl_options=+no_sslv2 +no_sslv3 +cipher_server_preference

daemon_smtp_ports=25:587:465
tls_dhparam = /etc/exim_dh.pem
tls_on_connect_ports=465
tls_dh_max_bits=4096

still i massivly get log like this:

2021-02-23 08:05:29 TLS error on connection from mail2.sozvers.at [194.153.217.241] (SSL_accept): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
2021-02-23 08:42:02 TLS error on connection from h062040140139.fis.cm.kabsi.at (mail.weisselbau-wien.at) [62.40.140.139] (SSL_accept): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher

any ideas ?

Update: a major-breakpoint here was to use a KEY that is RSA-capeable .. elliptic-curves break some backward-compatibilities

 

[ikkeben]

the situation 2021 is even worse it seems .. many old, mostly windows-servers are still not lifecycled .. i see many goverment-related in austria offices affected ( cna.at , etc )

my actual config is:
exim.variables.conf.custom:

# POLARIX - https://help.poralix.com/articles/fixing-ssl-routines-error-ssl23-unknown-protocol-exim
tls_require_ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA:!DSS

openssl_options=+no_sslv2 +no_sslv3 +cipher_server_preference

daemon_smtp_ports=25:587:465
tls_dhparam = /etc/exim_dh.pem
tls_on_connect_ports=465
tls_dh_max_bits=4096

still i massivly get log like this:

2021-02-23 08:05:29 TLS error on connection from mail2.sozvers.at [194.153.217.241] (SSL_accept): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
2021-02-23 08:42:02 TLS error on connection from h062040140139.fis.cm.kabsi.at (mail.weisselbau-wien.at) [62.40.140.139] (SSL_accept): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher

any ideas ?

YUP

Jeden die zu "alte einstellungen" hat und wichtig ist informieren.
Und ein Termin setzen , weil es macht wirklich kein sin, und wen es doch wichtig ist alles alte auf ein "alte" server umziehen.
Und oder extra email adresse wie protonmail dafür benutzen..

Yup contact all those to insecure and set a time limit they have to react.
If important then those to old to a insecure to old server, so not the others become insecure.

Extra email adress for those example at protonmail. or other mailservice to protect the mail infrastructure from to insecure settings

Most outlook at AT has still old 1.0 and or 1.1 tls still activated but also the 1.2 is working though.
"at.mail.protection.outlook.com.

at.mail.protection.outlook.com.	TLS 1.1	phase out
...	TLS 1.0	phase out

You should not get the error with those!? so your config is wrong somewhere!

Email test: weisselbau-wien.at

Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt

en.internet.nl

Email test: sozvers.at

Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt

en.internet.nl

 

[shanti]

The problem is now fixed, but the differences annoy me. Is our server still secure? Or should I revert back and...... ?

It feels like a workaround.

Hi @RoRoo , did you ever find a persistent or less workaroundy way to solved this mess ?
br
-c-

 

[ikkeben]

tls1.1 is indeed being dropped on our servers. For a while now.. (this install is 72 days old)

But the ciphers seem to have changed recently causing Apple (iOS and MacOS) clients and newer windows clients to fail.

@RoRoo
If so can you post here for DA support the log files mail on the DA server where you can see those errors.

And your config settings on the DA box.

 

[factor]

Did you think people actually update their servers?

 

[shanti]

atm tetsting with:

# POLARIX - https://help.poralix.com/articles/fixing-ssl-routines-error-ssl23-unknown-protocol-exim
tls_require_ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA:DHE-RSA-AES256-GCM-SHA384:!DSS

openssl_options=+no_sslv2 +no_sslv3

tls_dhparam = /etc/exim_dh.pem
tls_on_connect_ports=465
tls_dh_max_bits=4096

cipher-errors are greatly reduced .. lets monitor that