[BlueOnyx:19223] Re: SSL3_GET_CLIENT_HELLO:no shared cipher

Jim Scott jscott at infoconex.com
Mon Feb 29 14:30:17 -05 2016 

Michael,

>This has nothing to do with the SSL certificate. Regardless if you use a
>self signed cert, a Let's Encrypt or other real SSL cert.

>It indicates that the client tried to connect to SSL/TLS and entered a
>state of negotiation to find out what protocols and ciphers are
>supported by both client and server. So that they can then use the best
>option that they both support.

>However: The client and the server could not agree on a common cipher
>and that generated this error message.

>Sometime last year (around spring/summer) we did some security hardening
>on all BlueOnyx by default and locked down all relevant services to only
>use the most secure protocols and ciphers.

>See:

>http://mail.blueonyx.it/pipermail/blueonyx/2015-June/035562.html

>There were several updates related to this. Net result: We no longer
>support SSLv3 on any service (neither POP3, IMAP or SMTP). Instead we
>require TLSv1.0 or better. On EL6 or EL7 based BlueOnyx that would be
>TLSv1.2 with fallbacks to TLSv1.1 or TLSv1.0 at the worst.

>Your error message indicates your email clients tried to connect via
>SSLv3, which we no longer support. Please configure the clients to use
>TLS instead.

The issue seemed to be limited to customers using phones, mine being one of 
them. I am using a windows phone with windows 8.1 and one of the other 
customers that had an issue was using Blackberry. My phone came up with a 
warning that the certificate had changed the first time I tried to access 
the account and I accepted. Then it kept complaining afterwards that it had 
an issue downloading emails. When I looked at the server I would see the 
error reported. Then when I started getting calls from other customers I 
started to get worried. I tweaked the SMTP server configuration and was able 
to get myself and these customers to work. However as reported the 
configuration was restored by the BO server and the problem returned.

After many hours of pulling my hair out I removed all of my accounts from my 
phone and then set them up again from scratch. After doing so my phone had 
no issues in receiving/sending. So my assumption is that it still had the 
old certificate cached and when things did not match tried to use a lower 
cipher and was then rejected?

Thank you for the response

Jim

More information about the Blueonyx mailing list