Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED TLS error log flooding

Discussion in 'E-mail Discussions' started by Mise, Dec 1, 2017.

  1. Mise

    Mise Member

    Joined:
    May 15, 2011
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    51
    Today the server is flooded with new TLS errors, and many customers are unable to send emails:

    /var/log/exim_mainlog :
    Code:
    2017-12-01 22:20:34 [11213] TLS error on connection from [x.x.x.x]:51484 I=[x.x.x.x.x]:465 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2017-12-01 22:20:34 [11213] TLS client disconnected cleanly (rejected our certificate?)
    
    now some customers are able to send messages while others not.

    No change has been made and Exim options are by default. I wonder if some recent CPanel update with TLS or Exim ciphers it can be the cause of this serious problem.

    Please, somebody from the CPanel staff can explain how to solve this problem, or to restore the previous situation. Tickets support shows a warning it's very busy.
    This is very urgent!!!

    Thanks!
     
  2. Mise

    Mise Member

    Joined:
    May 15, 2011
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    51
    solved by myself.
    As I have suspected the later CPanel update was the cause. Many people have mail software which is not recent and they are connecting with TLS 1.

    Solved changing the ciphers with:
    Code:
    tls_require_ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:
    ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256
    :DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH
    -DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    and tsl options:
    openssl_options = +no_sslv2 +no_sslv3
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,734
    Likes Received:
    1,706
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page