SSL23_GET_CLIENT_HELLO

So having just “had a word” about cPanel login issue with Outlook (and no doubt other clients out there) not moving with the times – here is the other face of the same issue where the server is downright saying no to bad protocols that it no longer supports:

Nov 14 14:30:33 plesk71 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=123.123.123.123, lip=234.234.234.234, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<FA3JOvJdSdTZwtEM>

The end user is unable to get logged in when they switch on any kind of encryption (so they say).

It transpires what this message means they are using SSLv2 or SSLv3 to connect. Once you have stopped peering through your fingers and wondering what the password they are using is  –  switching to TLS or STARTTLS (depending on the client) resolves the issue.  If they do not support a new enough version

The same issue presents as follows for Courier and Postfix:

postfix/smtpd[25460]: SSL_accept error from mta.email.example.com[132.132.132.132]: -1
postfix/smtpd[25460]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:

courier-pop3s: couriertls: connect: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
courier-pop3s: couriertls: connect: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

Plesk KB article here.

You can work around it – there are instructions there… but you are not one of those people, are you? No? I thought not. We can be friends : )

 

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar