[BlueOnyx:14670] Re: error (0x800CCC80): - WORKAROUND
Dogsbody
dan at dogsbody.org
Mon Feb 17 07:42:01 -05 2014
On 17/02/14 12:07, Dogsbody wrote:
> We upgraded the BO on one of our servers last night and now have two
> separate customers that can't connect to POP3S giving the same error as
> above.
>
> We did identify a cert issue that the BO update overwrote and have fixed
> that again with...
>
> cp /etc/admserv/certs/ca-certs /etc/pki/dovecot/certs/ca.pem
> vi /etc/dovecot/conf.d/10-ssl.conf
> ssl_ca = </etc/pki/dovecot/certs/ca.pem
> service dovecot restart
More information... found this in the logs...
dovecot: pop3-login: Disconnected (no auth attempts): <SNIP> TLS
handshaking: SSL_accept() failed: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
I can now see the cipher changes in /etc/dovecot/conf.d/10-ssl.conf
I have managed to get my customers working again by changing the
ssl_cipher_list to the following based on this blog post...
http://jasonbrown.us/blog/disable_weak_cipher_dovecot
ssl_cipher_list =
ALL:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA
Michael, I'm sure you spent ages coming up with your cipher_list. It
seems it's too restrictive :-/
Can you please open this up a little again as well as making the change
above to ssl_ca.
Even though I have been ripping my hair out today :-p Thank you, we do
need more secure communications :-)
Dan
More information about the Blueonyx
mailing list