On 17/02/14 12:07, Dogsbody wrote: > We upgraded the BO on one of our servers last night and now have two > separate customers that can't connect to POP3S giving the same error as > above. > > We did identify a cert issue that the BO update overwrote and have fixed > that again with... > > cp /etc/admserv/certs/ca-certs /etc/pki/dovecot/certs/ca.pem > vi /etc/dovecot/conf.d/10-ssl.conf > ssl_ca = </etc/pki/dovecot/certs/ca.pem > service dovecot restart
More information... found this in the logs... dovecot: pop3-login: Disconnected (no auth attempts): <SNIP> TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher I can now see the cipher changes in /etc/dovecot/conf.d/10-ssl.conf I have managed to get my customers working again by changing the ssl_cipher_list to the following based on this blog post... http://jasonbrown.us/blog/disable_weak_cipher_dovecot ssl_cipher_list = ALL:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA Michael, I'm sure you spent ages coming up with your cipher_list. It seems it's too restrictive :-/ Can you please open this up a little again as well as making the change above to ssl_ca. Even though I have been ripping my hair out today :-p Thank you, we do need more secure communications :-) Dan _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx