TLS error on connection from+ (SSL_accept): (TLSv1.2

[Vincentc]

Hello All,

I am having trouble with emails generating the following error:

2023-01-18 16:26:54 TLS error on connection from mail-lf1-f54.google.com [209.85.167.54] (SSL_accept): (TLSv1.2)
2023-01-18 16:28:04 TLS error on connection from mail-lj1-f172.google.com [209.85.208.172] (SSL_accept): (TLSv1.2)

===============================================
exim.variables.confpenssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 +no_tlsv1_2 +cipher_server_preference

[root@cloud etc]# cat /etc/dovecot/conf/ssl.conf
ssl_cert = </etc/exim.cert
ssl_key = </etc/exim.key
ssl_dh = </etc/dovecot/dh.pem

ssl_min_protocol = TLSv1.3

DA Version: 1.646 Commit: 0ba485c2404333...
===============================================

We tried changing OpenSSL_options and even rebuilding dovecot but no luck.

Any help is appreciated on this.

Thank you !!

 

[Richard G]

[209.85.167.54] (SSL_accept): (TLSv1.2)

Why did you disable TLS v1.2 as this seems to be requested? Not everyone is using TLS v1.3 at the moment.
TLS 1.2 is still safe and it would be enough to disable 1.0 and 1.1.

Try this via ssh as root:

cd /usr/local/directadmin/custombuild
./build set ssl_configuration intermediate
./build update
./build exim
./build exim_conf
./build dovecot
./build dovecot_conf
./build rewrite_confs

This should make the necessary changes.
The exim.variables.conf should have this for TLS:
openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 +cipher_server_preference
and maybe some other changes.

And the dovecot's ssl.conf should have:
ssl_min_protocol = TLSv1.2

 

[Vincentc]

Thanks for the suggestion, Richard ..

The TLS v1.2 was disabled due to some update and was not able to figure out how to revert it. The steps you provided helped to set the 'openssl_options ' and 'ssl_min_protocol '. But exim log showing now this:

2023-01-18 20:02:52 TLS error on connection from amazing.monitoring.internet-measurement.com [xxx.xxx.xx] (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

2023-01-18 20:06:24 TLS error on connection from nurturing.monitoring.internet-measurement.com [xxx.xxx.xx] (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

Any suggestions on this?

Thank you !!

 

[Richard G]

get_client_hello:no shared cipher

Yes that's a known one to me, probably your hostname does not have the ciphers needed.

Try this command in ssh:
nmap --script ssl-enum-ciphers -p 465 localhost

Check if you have the above 2 present of these:

|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong

If you don't have those AES then there is your problem. Fix it by creating a new ssl certificate for your hostname.

cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single serverdomain.com 4096

 

[Vincentc]

Hello Richard,

I really appreciate your reply, the suggested ciphers were not there:

=================================================================================
[root@cloud ~]# nmap --script ssl-enum-ciphers -p 465 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2023-01-18 22:23 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
|_ TLSv1.2: No supported ciphers found

Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
[root@cloud ~]#
=================================================================================

After that I fixe by generating new SSL for the server Hostname and now its showing;

Host is up (0.00016s latency).
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds

Error seems to have disappeared. Thanks a million, Richard and I really appreciate it.

Thank you !!