Discussion:
tls connect errors : extremely urgent
(too old to reply)
Rajesh M.
2014-10-13 18:42:38 UTC
Permalink
hi

i also get following message

deferral: TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;deferral: TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;

rajesh

----- Original Message -----
From: Rajesh M. [mailto:***@24x7server.net]
To: qmailtoaster-***@qmailtoaster.com
Sent: Mon, 13 Oct 2014 23:06:10 +0530
Subject: Re: [qmailtoaster] tls connect errors

i am getting errors like this

2014-10-13 22:59:11.643242500 delivery 68: deferral: TLS_connect_failed;_connected_to_94.56.16.164./

basically i am referring to email communication betwen my server to the recepient's server.

my users are sending using normal smtp authenticated connection using outlook.

rajesh


----- Original Message -----
From: Cecil Yother, Jr. [mailto:***@yother.com]
To: qmailtoaster-***@qmailtoaster.com
Sent: Mon, 13 Oct 2014 10:21:01 -0700
Subject: Re: [qmailtoaster] tls connect errors

What do your secure (TLS) logs say?
urgent help required please
emails sentby our clients to various domains are bouncing back from all 4 servers which has identical qmail installation.
if it cannot be fixed immediately then please let me know how to disable tls based outgoing emailing
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 19:03:47 +0530
Subject: [qmailtoaster] tls connect errors
hi eric
we are getting tls connect errors
_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;_connected_to_82.148.101.101./
in our previous centos 5 32 bit installation of qmail the permissions were
-rw-r--r-- 1 root qmail 493 Oct 13 01:01 rsa512.pem
-rw-r--r-- 1 root qmail 1689 Nov 13 2012 servercert.pem
and this works correctly
in the new installation 64 bit
the permissions are
-rw-r--r-- 1 root qmail 493 Oct 13 01:01 rsa512.pem
-rw-r----- 1 root vchkpw 2830 Oct 10 22:27 servercert.pem
and we are getting tls errors
help required please
rajesh
---------------------------------------------------------------------
--
Cecil Yother, Jr.
2014-10-13 18:54:57 UTC
Permalink
What version of SSL are you running?
Post by Rajesh M.
hi
i also get following message
deferral: TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;deferral: TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 23:06:10 +0530
Subject: Re: [qmailtoaster] tls connect errors
i am getting errors like this
2014-10-13 22:59:11.643242500 delivery 68: deferral: TLS_connect_failed;_connected_to_94.56.16.164./
basically i am referring to email communication betwen my server to the recepient's server.
my users are sending using normal smtp authenticated connection using outlook.
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 10:21:01 -0700
Subject: Re: [qmailtoaster] tls connect errors
What do your secure (TLS) logs say?
urgent help required please
emails sentby our clients to various domains are bouncing back from all 4 servers which has identical qmail installation.
if it cannot be fixed immediately then please let me know how to disable tls based outgoing emailing
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 19:03:47 +0530
Subject: [qmailtoaster] tls connect errors
hi eric
we are getting tls connect errors
_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;_connected_to_82.148.101.101./
in our previous centos 5 32 bit installation of qmail the permissions were
-rw-r--r-- 1 root qmail 493 Oct 13 01:01 rsa512.pem
-rw-r--r-- 1 root qmail 1689 Nov 13 2012 servercert.pem
and this works correctly
in the new installation 64 bit
the permissions are
-rw-r--r-- 1 root qmail 493 Oct 13 01:01 rsa512.pem
-rw-r----- 1 root vchkpw 2830 Oct 10 22:27 servercert.pem
and we are getting tls errors
help required please
rajesh
---------------------------------------------------------------------
---------------------------------------------------------------------
--
Eric Shubert
2014-10-14 00:09:42 UTC
Permalink
The cert's probably ok. I'm guessing that the destination server can't
handle the more secure ciphers that are being used now (the newer QMT is
hardened a bit security wise).

Try this:
# cd /var/qmail/control
# mv tlsserverciphers tlsserverciphers.qmt
# ln -s tlsserverciphers.dist tlsserverciphers

You might need to restart qmail after doing this. That should put you
back to the older more permissive (and insecure) ciphers.

You may or may not have a tlsciphers.dist file. If you don't, I've
attached one from my COS6 QMT (although I don't use it - I use the more
secure one).

Let us know if that does it for you.

Thanks.
--
-Eric 'shubes'
Post by Rajesh M.
hi
i also get following message
deferral: TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;deferral: TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 23:06:10 +0530
Subject: Re: [qmailtoaster] tls connect errors
i am getting errors like this
2014-10-13 22:59:11.643242500 delivery 68: deferral: TLS_connect_failed;_connected_to_94.56.16.164./
basically i am referring to email communication betwen my server to the recepient's server.
my users are sending using normal smtp authenticated connection using outlook.
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 10:21:01 -0700
Subject: Re: [qmailtoaster] tls connect errors
What do your secure (TLS) logs say?
urgent help required please
emails sentby our clients to various domains are bouncing back from all 4 servers which has identical qmail installation.
if it cannot be fixed immediately then please let me know how to disable tls based outgoing emailing
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 19:03:47 +0530
Subject: [qmailtoaster] tls connect errors
hi eric
we are getting tls connect errors
_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;_connected_to_82.148.101.101./
in our previous centos 5 32 bit installation of qmail the permissions were
-rw-r--r-- 1 root qmail 493 Oct 13 01:01 rsa512.pem
-rw-r--r-- 1 root qmail 1689 Nov 13 2012 servercert.pem
and this works correctly
in the new installation 64 bit
the permissions are
-rw-r--r-- 1 root qmail 493 Oct 13 01:01 rsa512.pem
-rw-r----- 1 root vchkpw 2830 Oct 10 22:27 servercert.pem
and we are getting tls errors
help required please
rajesh
---------------------------------------------------------------------
---------------------------------------------------------------------
Rajesh M.
2014-10-14 01:47:01 UTC
Permalink
thanks very much eric

i simply backed up the tlsserverciphers and edited the existing tlsserverciphers

it worked.

i hope it does not matter if do not create the new tlsserverciphers.dist file

rajesh


----- Original Message -----
From: Eric Shubert [mailto:***@shubes.net]
To: qmailtoaster-***@qmailtoaster.com
Sent: Mon, 13 Oct 2014 17:09:42 -0700
Subject: [qmailtoaster] Re: tls connect errors : extremely urgent

The cert's probably ok. I'm guessing that the destination server can't
handle the more secure ciphers that are being used now (the newer QMT is
hardened a bit security wise).

Try this:
# cd /var/qmail/control
# mv tlsserverciphers tlsserverciphers.qmt
# ln -s tlsserverciphers.dist tlsserverciphers

You might need to restart qmail after doing this. That should put you
back to the older more permissive (and insecure) ciphers.

You may or may not have a tlsciphers.dist file. If you don't, I've
attached one from my COS6 QMT (although I don't use it - I use the more
secure one).

Let us know if that does it for you.

Thanks.
--
-Eric 'shubes'
Post by Rajesh M.
hi
i also get following message
deferral: TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;deferral: TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 23:06:10 +0530
Subject: Re: [qmailtoaster] tls connect errors
i am getting errors like this
2014-10-13 22:59:11.643242500 delivery 68: deferral: TLS_connect_failed;_connected_to_94.56.16.164./
basically i am referring to email communication betwen my server to the recepient's server.
my users are sending using normal smtp authenticated connection using outlook.
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 10:21:01 -0700
Subject: Re: [qmailtoaster] tls connect errors
What do your secure (TLS) logs say?
urgent help required please
emails sentby our clients to various domains are bouncing back from all 4 servers which has identical qmail installation.
if it cannot be fixed immediately then please let me know how to disable tls based outgoing emailing
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 19:03:47 +0530
Subject: [qmailtoaster] tls connect errors
hi eric
we are getting tls connect errors
_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;_connected_to_82.148.101.101./
in our previous centos 5 32 bit installation of qmail the permissions were
-rw-r--r-- 1 root qmail 493 Oct 13 01:01 rsa512.pem
-rw-r--r-- 1 root qmail 1689 Nov 13 2012 servercert.pem
and this works correctly
in the new installation 64 bit
the permissions are
-rw-r--r-- 1 root qmail 493 Oct 13 01:01 rsa512.pem
-rw-r----- 1 root vchkpw 2830 Oct 10 22:27 servercert.pem
and we are getting tls errors
help required please
rajesh
---------------------------------------------------------------------
---------------------------------------------------------------------
Eric Shubert
2014-10-14 02:08:48 UTC
Permalink
I don't see how it could matter, so long as you have valid values in
there. It's just a text file.

Do you mind sharing which ciphers you needed to add to accomodate which
mail server on the other end?

Of course the same mail server software on the other end could be
configured differently from one host to the next. It's a little
suspicious to me though that the only ciphers available are insecure
ones. It's also possible though that the other server quit trying after
the first one failed. Python had a similar problem with this (not
checking alternative authentication methods after failing the first)
before I reported the behavior as a bug, which was subsequently fixed.

Thanks.
--
-Eric 'shubes'
Post by Rajesh M.
thanks very much eric
i simply backed up the tlsserverciphers and edited the existing tlsserverciphers
it worked.
i hope it does not matter if do not create the new tlsserverciphers.dist file
rajesh
----- Original Message -----
Sent: Mon, 13 Oct 2014 17:09:42 -0700
Subject: [qmailtoaster] Re: tls connect errors : extremely urgent
The cert's probably ok. I'm guessing that the destination server can't
handle the more secure ciphers that are being used now (the newer QMT is
hardened a bit security wise).
# cd /var/qmail/control
# mv tlsserverciphers tlsserverciphers.qmt
# ln -s tlsserverciphers.dist tlsserverciphers
You might need to restart qmail after doing this. That should put you
back to the older more permissive (and insecure) ciphers.
You may or may not have a tlsciphers.dist file. If you don't, I've
attached one from my COS6 QMT (although I don't use it - I use the more
secure one).
Let us know if that does it for you.
Thanks.
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-***@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-***@qmailtoaster.com
Loading...