SOLVED Error: Your server does not support the connection encryption type you have specified

[linux4me2]

[Moderator Edit: Click here to see our response to the issue reported on this thread.]

Last week, after the update to cPanel/WHM 68.0.9, we updated the cipher suites for all services including Exim and Dovecot. Today, I heard from a client using Win 7 and Outlook 2016 that she was unable to send or receive email. Her webmail was working fine.

Outlook was giving her the error:

error (0x800CCC1A) : 'Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.'

We reverted the cipher suite for Dovecot and Exim to:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

and after restarting the services, she was able to receive email, but still can't send without getting the error regarding encryption type.

The SSL protocols in Dovecot are set to the same they were before the update:

TLSv1 TLSv1.1 TLSv1.2

In Exim, we tried going back to:

+no_sslv2 +no_sslv3 +no_tlsv1

and:

+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

but neither helped.

Is there some other setting, or some other service, that would be preventing Outlook 2016 from sending mail because of the encryption type?

 

[linux4me2]

In /var/log/maillog I see these each time she tried to retrieve mail using the new cipher suite:

host dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<xxxxxxxxxxxxxxxxxxx>

Those appear to have cleared up after I reverted to the cipher suite we were previously using.

In /var/log/exim_mainlog, I'm seeing a lot of these:

44872 Warning: "|/usr/local/cpanel/bin/autorespond [email protected] /home/username/.autorespond","|/usr/local/cpanel/bin/autorespond [email protected] /home/username/.autorespond"

but other than that, just her successful logins via the Webmail UI.

I do see some entries like this, but I haven't been able to confirm that this is her IP:

SMTP connection from [xxx.xxx.xxx.xxx]:60000 (TCP/IP connection count = 3)
2017-11-06 14:24:54 TLS error on connection from [xxx.xxx.xxx.xxx]:60000 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017-11-06 14:24:54 TLS client disconnected cleanly (rejected our certificate?)

I did have her try to set up Outlook's SMTP settings for port 465 and SSL/TLS, and port 587 with start TLS, both of which work fine using Thunderbird on Linux. Neither of those worked for her. I've checked with another client who is using Thunderbird on Win 7, and he hasn't had any issues, so I believe it is Outlook that's causing the issue.

 

[keithalmli]

Just adding, I'm having the same issues as well, and I've tested on Outlook 2016, 2007. Both will not connect. With exact same errors as you. I did attempt the Thunderbird with great success. (STARTTLS only) I will say however, for me other accounts on server work fine. I've found 2 so far out of several others that do not work on Microsoft Outlook. May be worth testing on your end to see if by chance its isolated to a couple of e-mail accounts. (Seems odd)

 

[linux4me2]

Just adding, I'm having the same issues as well, and I've tested on Outlook 2016, 2007. Both will not connect. With exact same errors as you. I did attempt the Thunderbird with great success. (STARTTLS only) I will say however, for me other accounts on server work fine. I've found 2 so far out of several others that do not work on Microsoft Outlook. May be worth testing on your end to see if by chance its isolated to a couple of e-mail accounts. (Seems odd)

I've only had one client report the issue so far, so it may not be all accounts. I don't know how many people are actually using Outlook.

 

[linux4me2]

Hello,

You mentioned Windows 7 in your original post. For Windows 7, Microsoft has created a patch to enable 1.1 and 1.2 on the encryption service used by Outlook:

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Can you verify if applying this update solves the issue?

Thank you.

Thanks for finding that. I sent the client the link to the patch, and I asked her to try installing it--if it's not already installed--and to make the registry change they suggest to activate it. I'm waiting to hear back from her.

 

[linux4me2]

The client reports that she installed the patch, ran Easy Fix (to set the registry flag), then rebooted and tested sending in Outlook, but that it did not resolve the issue. I've asked her to try Thunderbird to see if it works, which might tell us if the problem is just Outlook, Windows 7, or something else specific to her machine.

 

[keithalmli]

I threw in the towel and tried an install of Windows 10 (Upgrade still free until December) It worked right away. In my opinion it appears it's a Windows 7 issue.

 

[linux4me2]

I threw in the towel and tried an install of Windows 10 (Upgrade still free until December) It worked right away. In my opinion it appears it's a Windows 7 issue.

I haven't been able to find a solution yet, either, though I'm still waiting for the affected client to try Thunderbird to see if it solves the problem for her. I have other clients who are using Win 7 and Thunderbird successfully, so I'm really curious to see if it's something specific to her Win 7 install.

Are you using the new cipher suite with Win 10 and Outlook 2016 without any problems, or did you have to revert to the old cipher suite?

 

[keithalmli]

Sorry for delay, It was interesting. The Windows 10 machine worked fine from the start. A simple reboot on monday morning was enough to flush the systems DNS cache, and or make it work correct. With no changes.

The Windows 7 machine never worked at all and wouldn't connect, although I could ping the system with no problems. My management company changed several settings, I'd like to think one of them was the cipher. After the changes they were able to get things rolling on their side without issue, (not sure if they had 10 or 7 as a test machine) but regardless I was unable to do anything on the Windows 7 until i did a flushdns AFTER their changes, then I was able to connect to server, but could not send mail receiving the same error.

Eventually I threw in the towel and upgraded to Windows 10, then it the sending cleared up.

I did try the fix provided by Microsoft, adding the values and such.. didn't seem to make a difference.

 

[brt]

Just adding that I had a client with problems with Mail in El Capitan yesterday and I had to revert both options as well.

 

[EneTar]

So for Win 7 users with outlook is there any solution?

 

[jarland]

Hello,

Try updating the "SSL/TLS Cipher Suite List" and "Options for OpenSSL" values under the "Security" tab in "WHM Home » Service Configuration » Exim Configuration Manager » Basic Editor" to match the following to see if it allows sending to work for clients that don't support the updated requirements:

For "SSL/TLS Cipher Suite List":

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

For "Options for OpenSSL":

+no_sslv2

Thank you.

Is this not re-enabling SSLv3? That doesn't seem like the ideal solution.

I came to the forum today because of multiple customers reporting on my latest server that they are getting SSL errors on IMAP, and the logs always show SSLv3 attempts. This despite them using up to date software on up to date OS/devices, none of which should even support SSLv3. Strangely, it isn't impacting every user. I can use the same device/OS/app combinations and get through fine. No particular area or network, multiple devices and network tried by each customer that reports this. Only one server experiencing it. Makes zero sense

 

[EneTar]

Hello,

Try updating the "SSL/TLS Cipher Suite List" and "Options for OpenSSL" values under the "Security" tab in "WHM Home » Service Configuration » Exim Configuration Manager » Basic Editor" to match the following to see if it allows sending to work for clients that don't support the updated requirements:

For "SSL/TLS Cipher Suite List":

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

For "Options for OpenSSL":

+no_sslv2

Thank you.

What does this mean for our server security?

 

[EneTar]

The workaround allows for the use of weaker ciphers, allowing for greater compatibility but reduced security. Ideally, you should leave the updated cipher settings enabled and reach out to the users reporting the errors to determine if they can upgrade their operating systems or email clients to versions that support the modern cipher requirements.

1) So what's the worst that can happen on our servers with this reduced security?

2) You are saying that ideally we should contact our users. What do you mean by that? Contact everyone who has an email account on our server? We have already done that. We have adapted nearly 100 users the last week. Or do you mean to contact anyone who is supposed to send a message to our customers? <- That is impossible...

 

[panit]

justjaph - Thank you very much. That fixed it for me too.

The failure it caused didn't seem to have anything to do with the age of the email program being used. My program was just upgraded to the latest version a few months ago and one of my hosting members that this affected is using Windows Mail on Windows 10. Does anyone know what affect enabling the old ciphers will have? I assume cpanel removed them for a reason.

 

[EneTar]

Here are a couple of links that explain the advantages of TLS 1.2:

More about TLS and SSL - cPanel Knowledge Base - cPanel Documentation
Is TLS 1.0 more secure than TLS 1.2?

So the worst that can happen is an insecure communication between the client and the server but not anything like accessing/ attacking any part of the server correct?

I was referring to your customers that use older email clients to send/receive email from an email account hosted on your cPanel server.

Well I think this is not true. Our customers have upgraded their emails clients with TLS1.2 support and they could exchange messages to each other perfectly well. However some people using external server as described in TLS error on connection issue couldn't reach them.

After applying the configuration of Outlook 2016 Sending Email Fails After Cipher Suite Update those people could reach them perfectly fine. That was the only thing that we changed in our system. So my assumption is that those settings affect also external servers which contact our server.

 

[Claudiu Hristov]

Hi all
New in here so i hope i can find some answers. I'm using w68.0.19 for a few days and i'm not able to use ssl with outlook (any version) only on windows 7 computers. On windows 10 it works well as before.
Did what you suggested changing SSL/TLS Cipher Suite List and Options for OpenSSL. Not i can can setup outlook with ssl port 465 but not able to use pop3 with ssl port 995. The error is Your server does not support the connection encryption type you have specified. Any suggestions?
Thank you

 

[panit]

justjaph - Thank you very much for your fix. That did the trick. My host was convinced the problem was on my end so they didn't even bother looking at possible causes on the server.

Does anyone know what affect adding the old ciphers will cause? I assume cpanel removed them for a reason. Making the above changes was needed even though the email programs involved were not old. My program was just renewed to thelatest version a few months ago and one of my clients that had the problem uses Windows 10 email client.

 

[Claudiu Hristov]

Check to see if this post (found earlier in this thread) helps:

Outlook 2016 Sending Email Fails After Cipher Suite Update

I triyed Microsoft's patch but unfortunately it doesn't work. I have no other ideea. All Windows7 clients use "no ssl" for incoming mail in Outlook. Thunderbird works fine as well as Outlook on Windows10.

 

[lorio]

Is the workaround on How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation
still working under 68.0.19/20?

If you wish to allow mail users to connect to your server with Microsoft Outlook® 2007 on Windows XP®, the following cipher will allow them to connect:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Outlook seems to no longer be able to send since Exim 4.89. The cipher / protocol tweaks worked from 64. to 66 worked on 68.0 in the beginning.

TLS error on connection from [X.X.X.X]:1591 (SSL_accept): error:00000000:lib(0):func(0):reason(0)
TLS client disconnected cleanly (rejected our certificate?)

Any one with the same issue after 68.0.19?