Hello,
I run a mail server that is running Centos 5, fully patched. There are a few domains that I have trouble sending to. The errors look like this :
Code:
STARTTLS=client: 814:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.
I have updated my openssl package to the latest version in the Centos 5 repo. I have updated my DH keys, blocked SSLv2 and SSLv3. See my local config below for sendmail:
Code:
LOCAL_CONFIG
O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
O DHParameters=/etc/pki/tls/certs/dhparams.pem
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
I am just not sure if the issue is on my end or theirs. They don't have an issue sending mail to me, so that makes me think the issue is on my end.
Google searching for the error "SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" hasn't really yielded many results. Most of it was for web servers.
I am maybe thinking it's a cypher issue? In that both servers can't agree on a cipher? If anyone has any light they can shed or suggestions, I am all ears.
I was also wondering if I should update my CipherList to be just "HIGH". Thoughts? Thanks!