On Thu, Jun 08, 2017 at 11:06:01AM +0300, Aki Tuomi wrote:
>
>
> On 07.06.2017 15:16, Pallissard, Matthew wrote:
> > I'm starting to see the following error when upgrading from 2.2.27 to
> > 2.2.29.
> >
> > doveadm(ip.add.re.ss): Error: doveadm client disconnected before handshake:
> > SSL_accept() failed: error:1417A0C1:SSL
> > routines:tls_post_process_client_hello:no shared cipher
> >
> > Downgrading from 2.2.27 resolves, error still persists in 2.2.28.
> >
> > I'm using openssl 1.1.0.f and an ec cert/key with the following curve.
> > ASN1 OID: prime256v1
> > NIST CURVE: P-256
> >
> >
> > Does anyone know anything about this off the top of their head? If not I'll
> > try to git-bisect 2.2.27 -> 2.2.28 and see if I can find any offending
> > commits later on this week.
> >
>
> That would indicate a problem with cipher lists. What are you doing that
> causes this?
>
> Aki
I'm dealing with a pretty vanilla config.
The only ssl related settings are as follows.
ssl_cert = </etc/ssl/ecc.cer
ssl_key = </etc/ssl/ecc.key
local_name domain.com {
ssl_cert = </etc/ssl/domain.com.ecc.pem
ssl_key = </etc/ssl/domain.com.ecc.key
}
mail_replica = tcps:replica.hostname:port
When I turn up the ssl debug logging all I get the following.
>From the host where mail is being replicated to;
doveadm: Debug: SSL: elliptic curve prime256v1 will be used for ECDH and ECDHE
key exchanges
doveadm(replicating.to.this.host): Debug: SSL: where=0x10, ret=1: before SSL
initialization
doveadm(replicating.to.this.host): Debug: SSL: where=0x2001, ret=1: before SSL
initialization
doveadm(replicating.to.this.host): Debug: SSL: where=0x2002, ret=-1: before SSL
initialization
doveadm(replicating.to.this.host): Debug: SSL: where=0x2002, ret=-1: before SSL
initialization
doveadm(replicating.to.this.host): Debug: SSL: where=0x2001, ret=1: before SSL
initialization
doveadm(replicating.to.this.host): Debug: SSL alert: where=0x4008, ret=552:
fatal handshake failure
doveadm(replicating.to.this.host): Debug: SSL: where=0x2002, ret=-1: error
doveadm(replicating.to.this.host): Debug: SSL error: SSL_accept() failed:
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
doveadm(replicating.to.this.host): Error: doveadm client disconnected before
handshake: SSL_accept() failed: error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared cipher
doveadm(replicating.to.this.host): Debug: SSL error: SSL_accept() syscall
failed: Invalid argument
>From the host where the mail is being replicated from.
dovecot[5904]: doveadm(m...@pallissard.net): Error: doveadm server disconnected
before handshake: Broken pipe
dovecot[5904]: doveadm(m...@pallissard.net): Error: sync: Disconnected from
remote: Broken pipe
--
Matt Pallissard
