Error trying to connect from QuickBooks Webmail interface

[RetiredAF]

We have a Centos 7.8 server running Exim version 4.93-5 and are having problems connecting from the QuickBooks Webmail interface. I can connect using this interface to my Cox email account on port 587 with SSL/TLS so I have no reason to believe there is a problem with QuickBooks. When we try connecting to an email account on our server with either ports 465 or 587 with SSL/TLS, QuickBooks gives us one of those worthless lists of possible problems that includes about every possible problem. More revealing is what I am seeing monitoring the Exim log, which for both ports is this error:

error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

So far as the SSL/TLS is concerned we have left the Exim setting at their defaults.

Can anyone tell me how to proceed from here? How can I determine what ciphers QuickBooks has to share? Of course if anyone knows the fix for this problem that would be very welcome also.

 

[keat63]

I had issues with an apple mac which i'm convinced was down to ciphers.
I can't say for sure if this is the same issue as you have.

You mention that you've left the exim settings alone, but your status says that you are a web site owner.
I'm not sure a web site owner has access to this, so I'm assuming that you are a root admin. ??

In exim config, under the security tab, make a note and copy your current 'options for open ssl' and 'ssl/tls cipher suite list'
When you have a copy of these, try these settings instead.

+no_sslv2 +no_sslv3

and

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

Provided you took a copy before making any changes, you should be able to roll back if it doesn't work for you.

 

[RetiredAF]

Thanks with that configuration I was able to send email using port 587. I didn't try 465 yet.

So this will get me going . I've set exim back to the defaults until I can figure out the minimum I need to add and subtract from the default configuration to get this working. The exim log has this is it which I think will help me narrow it down.

2020-07-20 14:11:01 1jxaFc-0000Jz-DM <= [email protected] H=ipxxx-xxx-xxx-xxx.tc.ph.cox.net (my-pc) [xxx-xxx-xxx-xxx]:54754 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES128-SHA:128 CV=no A=dovecot_plain:[email protected] S=71143 id=560278def69f029ddb1291f4ca63ff65@smy-pc T="Invoice 13 from DesignbySteve" for [email protected]​

 

[cPanelLauren]

@keat63 the suggestion was right - that error:

error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

This indicates that the server does not have a cipher added which Quickbooks supports.

@RetiredAF if 587 which uses STARTTLS functions with the custom cipher list you should be ok but I'm unsure which ciphers Quickbooks would specify and I was unable to find much in their documentation beyond the standard instructions for the big email service provider companies.

 

[RetiredAF]

I found that just adding ECDHE-RSA-AES128-SHA to the end of the default SSL/TLS Cipher Suite List in exim was enough for me to send email from QuickBook on port 587, SSL/TLS/

Now I wish I knew if there is something flakey about that cipher, and if there's not, why isn't part of the default exim SSL/TLS Cipher Suite List ? Anyone know or know how to find out?

 

[cPanelLauren]

It looks like an older broad compatibility SSLv3 cipher per SSL Cipher Strength Details