On 31.05.2021 14:27, Viktor Dukhovni via Exim-users wrote:
On Mon, May 31, 2021 at 01:44:39PM +0200, Marcin Gryszkalis via Exim-users
wrote:
exim's cipher list is wide
ALL:!EXPORT:!DES:!RC2:!RC4:!MD5:!PSK:!aNULL:!eNULL:!EXP:!SRP:!DSS:!DHE:!3DES
What is the reason for disabling DHE ciphers?
So there's no need to remember to prepare proper dh params, not
important anyway I guess.
This cipher list looks rather kludgey. Try "DEFAULT".
This problem applies to one server only, any other can connect without
problems. I left TLS1.0 and 1.1 because they are still used. Here are
the stats from exim log:
2 TLS1.2:AES128-GCM-SHA256:128
3 TLS1.2:AES256-SHA:256
12 TLS1.2:AES256-GCM-SHA384:256
15 TLS1.1:ECDHE-ECDSA-AES256-SHA:256
18 TLS1.2:ECDHE-RSA-AES256-SHA:256
43 TLS1.1:ECDHE-RSA-AES256-SHA:256
54 TLS1.2:ECDHE-ECDSA-AES256-SHA384:256
149 TLS1:AES256-SHA:256
156 TLS1.2:DHE-RSA-AES256-GCM-SHA384:256
307 TLS1:DHE-RSA-AES256-SHA:256
313 TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128
384 TLS1:ECDHE-ECDSA-AES256-SHA:256
672 TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128
1214 TLS1:ECDHE-RSA-AES256-SHA:256
1467 TLS1.2:ECDHE-RSA-AES256-SHA384:256
3192 TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256
15980 TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256
As you can see this list have common part with the list from Client
Hello, eg. first one - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
is on the list ( 672 TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 )
The curve proposed by client (secp256r1) is also supported.
40884 openssl option, adding to 03104000: 02000000 (no_sslv3 +no_sslv2
+cipher_server_preference)
40884 openssl option, adding to 03104000: 01000000 (no_sslv2
+cipher_server_preference)
40884 openssl option, adding to 03104000: 00400000
(cipher_server_preference)
40884 setting SSL CTX options: 0x3504000
40884 Diffie-Hellman initialized from default with 2048-bit prime
40884 ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection
40884 tls_certificate file '/letsencrypt/certs/mail.domain.com/fullchain.pem'
40884 tls_privatekey file '/letsencrypt/certs/mail.domain.com/privkey.pem'
40884 Initialized TLS
40884 required ciphers:
ALL:!EXPORT:!DES:!RC2:!RC4:!MD5:!PSK:!aNULL:!eNULL:!EXP:!SRP:!DSS:!DHE:!3DES
40884 host in tls_verify_hosts? no (option unset)
40884 host in tls_try_verify_hosts? no (end of list)
40884 SMTP>> 220 TLS go ahead
40884 Calling SSL_accept
40884 SSL_accept: before/accept initialization
40884 SSL3 alert write:fatal:handshake failure
That rather looks like your own server is initiating the handshake
failure. It is writing the alert, not reading a remote alert.
I think it says that exim returned handshake error (it did).
40884 SSL_accept: error in error
40884 SSL_accept: error in error
I haven't seen that one much. Perhaps an issue in the Exim OpenSSL glue
code.
could be
The server does not believe it has any shared ciphers available. You
should also check the system-wide "openssl.cnf" file for any vendor
configured protocol or cipher restrictions.
it's default FreeBSD's openssl.cnf without any modifications
wireshark dump from client hello
This does not look like the entire client hello message.
I did some cleaning, here is missing prefix:
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 120
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 116
Version: TLS 1.2 (0x0303)
Random: 60b49...
GMT Unix Time: May 31, 2021 10:07:16.000000000 CEST
Random Bytes: f233...
Session ID Length: 0
Cipher Suites Length: 24
Cipher Suites (12 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 51
Extension: supported_groups (len=4)
Type: supported_groups (10)
Length: 4
Supported Groups List Length: 2
Supported Groups (1 group)
Supported Group: secp256r1 (0x0017)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=20)
Type: signature_algorithms (13)
Length: 20
Signature Hash Algorithms Length: 18
Signature Hash Algorithms (9 algorithms)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ecdsa_sha1 (0x0203)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: SHA1 DSA (0x0202)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Extension: session_ticket (len=0)
Type: session_ticket (35)
Length: 0
Data (0 bytes)
Extension: extended_master_secret (len=0)
Type: extended_master_secret (23)
Length: 0
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
And where's the server's reply (HELLO or alert?)?
it's next packet:
Transport Layer Security
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake
Failure)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
--
Marcin Gryszkalis, PGP 0xA5DBEEC7 http://fork.pl/gpg.txt
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
