1 Topic by darth_wells

  • darth_wells
  • Member
  • Offline
  • Registered: 2011-10-07
  • Posts: 80

Topic: warning: TLS library problem: error

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

May 31 14:43:34 nm2 postfix/smtpd[12077]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1422:

also getting SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1418:


cat /etc/postfix/main.cf | grep tls
# smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
# smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
# smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/nm2.abgnetwork.net.crt
smtpd_tls_key_file = /etc/ssl/private/nm2.key
smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = SSLv2, !SSLv3, TLSv1.1, TLSv1.2
smtpd_tls_security_level = may
smtpd_enforce_tls = no
smtpd_tls_loglevel = 0
tls_random_source = dev:/dev/urandom
# tls_daemon_random_source = dev:/dev/urandom
# smtp_pix_workaround_threshold_time = 500ssmtp_tls_security_level = may
smtp_tls_CAfile = $smtpd_tls_CAfile
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem

nm2:/etc/amavis/conf.d# cat /etc/dovecot/dovecot.conf | grep ssl
ssl = yes
verbose_ssl = no
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
# ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:+MEDIUM
# ssl_cert = </etc/ssl/certs/iRedMail_CA.pem
# ssl_key = </etc/ssl/private/iRedMail.key
ssl_cert = </etc/ssl/certs/nm2.abgnetwork.net.pem
ssl_key = </etc/ssl/private/nm2.key
ssl_ca = </etc/ssl/certs/gd_bundle.pem

I tried this in the Dovecot.conf file, but Outlook 2010 stopped working for users.
# ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:+MEDIUM

nm2:/etc/amavis/conf.d# cat /etc/iredmail-release
0.9.6

Debian

Tried upgrading openssl
Tried upgrading postfix
added smtpd_tls_protocols = SSLv2, !SSLv3, TLSv1.1, TLSv1.2

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,164

Re: warning: TLS library problem: error

darth_wells wrote:

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

Try to comment out this setting first, restart postfix, try to reproduce the issue again.

Seems your client doesn't support any cipher offered by server. You should enable above line again after testing, and remove one of the ciphers each time to figure out which one causes the error.