Skip to main content

Error: Your server does not support the connection encryption type you have specified

Comments

32 comments

  • linux4me2
    In /var/log/maillog I see these each time she tried to retrieve mail using the new cipher suite:
    host dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=
    Those appear to have cleared up after I reverted to the cipher suite we were previously using. In /var/log/exim_mainlog, I'm seeing a lot of these:
    44872 Warning: "|/usr/local/cpanel/bin/autorespond user@domain.tld /home/username/.autorespond","|/usr/local/cpanel/bin/autorespond user@domain.tld /home/username/.autorespond"
    but other than that, just her successful logins via the Webmail UI. I do see some entries like this, but I haven't been able to confirm that this is her IP:
    SMTP connection from [xxx.xxx.xxx.xxx]:60000 (TCP/IP connection count = 3) 2017-11-06 14:24:54 TLS error on connection from [xxx.xxx.xxx.xxx]:60000 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2017-11-06 14:24:54 TLS client disconnected cleanly (rejected our certificate?)
    I did have her try to set up Outlook's SMTP settings for port 465 and SSL/TLS, and port 587 with start TLS, both of which work fine using Thunderbird on Linux. Neither of those worked for her. I've checked with another client who is using Thunderbird on Win 7, and he hasn't had any issues, so I believe it is Outlook that's causing the issue.
    0
  • keithalmli
    Just adding, I'm having the same issues as well, and I've tested on Outlook 2016, 2007. Both will not connect. With exact same errors as you. I did attempt the Thunderbird with great success. (STARTTLS only) I will say however, for me other accounts on server work fine. I've found 2 so far out of several others that do not work on Microsoft Outlook. May be worth testing on your end to see if by chance its isolated to a couple of e-mail accounts. (Seems odd)
    0
  • linux4me2
    Just adding, I'm having the same issues as well, and I've tested on Outlook 2016, 2007. Both will not connect. With exact same errors as you. I did attempt the Thunderbird with great success. (STARTTLS only) I will say however, for me other accounts on server work fine. I've found 2 so far out of several others that do not work on Microsoft Outlook. May be worth testing on your end to see if by chance its isolated to a couple of e-mail accounts. (Seems odd)

    I've only had one client report the issue so far, so it may not be all accounts. I don't know how many people are actually using Outlook.
    0
  • linux4me2
    Hello, You mentioned Windows 7 in your original post. For Windows 7, Microsoft has created a patch to enable 1.1 and 1.2 on the encryption service used by Outlook:
    0
  • linux4me2
    The client reports that she installed the patch, ran Easy Fix (to set the registry flag), then rebooted and tested sending in Outlook, but that it did not resolve the issue. I've asked her to try Thunderbird to see if it works, which might tell us if the problem is just Outlook, Windows 7, or something else specific to her machine.
    0
  • keithalmli
    I threw in the towel and tried an install of Windows 10 (Upgrade still free until December) It worked right away. In my opinion it appears it's a Windows 7 issue.
    0
  • linux4me2
    I threw in the towel and tried an install of Windows 10 (Upgrade still free until December) It worked right away. In my opinion it appears it's a Windows 7 issue.

    I haven't been able to find a solution yet, either, though I'm still waiting for the affected client to try Thunderbird to see if it solves the problem for her. I have other clients who are using Win 7 and Thunderbird successfully, so I'm really curious to see if it's something specific to her Win 7 install. Are you using the new cipher suite with Win 10 and Outlook 2016 without any problems, or did you have to revert to the old cipher suite?
    0
  • keithalmli
    Sorry for delay, It was interesting. The Windows 10 machine worked fine from the start. A simple reboot on monday morning was enough to flush the systems DNS cache, and or make it work correct. With no changes. The Windows 7 machine never worked at all and wouldn't connect, although I could ping the system with no problems. My management company changed several settings, I'd like to think one of them was the cipher. After the changes they were able to get things rolling on their side without issue, (not sure if they had 10 or 7 as a test machine) but regardless I was unable to do anything on the Windows 7 until i did a flushdns AFTER their changes, then I was able to connect to server, but could not send mail receiving the same error. Eventually I threw in the towel and upgraded to Windows 10, then it the sending cleared up. I did try the fix provided by Microsoft, adding the values and such.. didn't seem to make a difference.
    0
  • brt
    Just adding that I had a client with problems with Mail in El Capitan yesterday and I had to revert both options as well.
    0
  • EneTar
    So for Win 7 users with outlook is there any solution?
    0
  • jarland
    Hello, Try updating the "SSL/TLS Cipher Suite List" and "Options for OpenSSL" values under the "Security" tab in "WHM Home " Service Configuration " Exim Configuration Manager " Basic Editor" to match the following to see if it allows sending to work for clients that don't support the updated requirements: For "SSL/TLS Cipher Suite List":
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    For "Options for OpenSSL":
    +no_sslv2
    Thank you.

    Is this not re-enabling SSLv3? That doesn't seem like the ideal solution. I came to the forum today because of multiple customers reporting on my latest server that they are getting SSL errors on IMAP, and the logs always show SSLv3 attempts. This despite them using up to date software on up to date OS/devices, none of which should even support SSLv3. Strangely, it isn't impacting every user. I can use the same device/OS/app combinations and get through fine. No particular area or network, multiple devices and network tried by each customer that reports this. Only one server experiencing it. Makes zero sense :(
    0
  • EneTar
    Hello, Try updating the "SSL/TLS Cipher Suite List" and "Options for OpenSSL" values under the "Security" tab in "WHM Home " Service Configuration " Exim Configuration Manager " Basic Editor" to match the following to see if it allows sending to work for clients that don't support the updated requirements: For "SSL/TLS Cipher Suite List":
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    For "Options for OpenSSL":
    +no_sslv2
    Thank you.

    What does this mean for our server security?
    0
  • EneTar
    The workaround allows for the use of weaker ciphers, allowing for greater compatibility but reduced security. Ideally, you should leave the updated cipher settings enabled and reach out to the users reporting the errors to determine if they can upgrade their operating systems or email clients to versions that support the modern cipher requirements.

    1) So what's the worst that can happen on our servers with this reduced security? 2) You are saying that ideally we should contact our users. What do you mean by that? Contact everyone who has an email account on our server? We have already done that. We have adapted nearly 100 users the last week. Or do you mean to contact anyone who is supposed to send a message to our customers? <- That is impossible...
    0
  • panit
    justjaph - Thank you very much. :) That fixed it for me too. The failure it caused didn't seem to have anything to do with the age of the email program being used. My program was just upgraded to the latest version a few months ago and one of my hosting members that this affected is using Windows Mail on Windows 10. Does anyone know what affect enabling the old ciphers will have? I assume cpanel removed them for a reason.
    0
  • EneTar
    Here are a couple of links that explain the advantages of TLS 1.2: More about TLS and SSL - cPanel Knowledge Base - cPanel Documentation Is TLS 1.0 more secure than TLS 1.2?

    So the worst that can happen is an insecure communication between the client and the server but not anything like accessing/ attacking any part of the server correct?
    I was referring to your customers that use older email clients to send/receive email from an email account hosted on your cPanel server.

    Well I think this is not true. Our customers have upgraded their emails clients with TLS1.2 support and they could exchange messages to each other perfectly well. However some people using external server as described in TLS error on connection issue couldn't reach them. After applying the configuration of Outlook 2016 Sending Email Fails After Cipher Suite Update those people could reach them perfectly fine. That was the only thing that we changed in our system. So my assumption is that those settings affect also external servers which contact our server.
    0
  • Claudiu Hristov
    Hi all New in here so i hope i can find some answers. I'm using w68.0.19 for a few days and i'm not able to use ssl with outlook (any version) only on windows 7 computers. On windows 10 it works well as before. Did what you suggested changing SSL/TLS Cipher Suite List and Options for OpenSSL. Not i can can setup outlook with ssl port 465 but not able to use pop3 with ssl port 995. The error is Your server does not support the connection encryption type you have specified. Any suggestions? Thank you
    0
  • panit
    justjaph - Thank you very much for your fix. That did the trick. :) My host was convinced the problem was on my end so they didn't even bother looking at possible causes on the server. Does anyone know what affect adding the old ciphers will cause? I assume cpanel removed them for a reason. Making the above changes was needed even though the email programs involved were not old. My program was just renewed to thelatest version a few months ago and one of my clients that had the problem uses Windows 10 email client.
    0
  • Claudiu Hristov
    Check to see if this post (found earlier in this thread) helps: Outlook 2016 Sending Email Fails After Cipher Suite Update

    I triyed Microsoft's patch but unfortunately it doesn't work. I have no other ideea. All Windows7 clients use "no ssl" for incoming mail in Outlook. Thunderbird works fine as well as Outlook on Windows10.
    0
  • lorio
    Is the workaround on How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation still working under 68.0.19/20? If you wish to allow mail users to connect to your server with Microsoft Outlook" 2007 on Windows XP", the following cipher will allow them to connect: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    Outlook seems to no longer be able to send since Exim 4.89. The cipher / protocol tweaks worked from 64. to 66 worked on 68.0 in the beginning. TLS error on connection from [X.X.X.X]:1591 (SSL_accept): error:00000000:lib(0):func(0):reason(0) TLS client disconnected cleanly (rejected our certificate?)
    Any one with the same issue after 68.0.19?
    0
  • lorio
    You'd need to implement the workaround provided on the following post earlier in this thread:Post-2498287

    That workaround is confirmed for older Outlook under XP? 2003 2007? I have tried to reproduce the issue with an worst-case setup (Outlook 2003 under XP). And SMTP under cPanel 68 with Exim 4.89 isn't working with the workaround. Perhaps it is better that way ;-) Looks to me like Exim has some fixes in 4.89 which may prevent the successful transfer even when cipher and protocols are available. Will at least help to motivate everyone to move on to TLS 1.2 and 1.3.
    0
  • lorio
    I've seen a couple of instances where enabling the "Allow weak SSL/TLS ciphers" option under the "Security" tab in "WHM >> Exim Configuration Manager >> Basic Editor" allowed Outlook 2003 to continue sending

    Quite funny, in my test setup the email is sitting in the outbox quite while. From time to time Exim accepts one email but most of the time the email stays in the outbox. Allowing or disallowing weak cipher made no difference to this behavior. Think that is a bug with a certain patch level in Outlook 2003. Time to put the workarounds back in the toolbox. Thanks for your endless forum posting and answering. Not sure if I would be able to be that polite and patient all the time ;-)
    0
  • cPanelNick
    If you are using Windows 7 you can apply this update to avoid downgrading the allowed ssl versions on the server side:
    0
  • Rogue18
    Came across this thread in a search for my same issues of not being able to connect to my web host email using Outlook (2013 and 365) with Windows 7, along with most Android mail apps. Thunderbird worked fine though, as did Outlook 2013 on Windows 8. I tried the fix cPanelNick suggested below (including adding the registry EasyFix) but it didn't work for some reason. My web host ended up having to adjust the SSL settings for the mail server, but it lowered the overall security level they said. I'm now able to connect with Outlook and the Android mobile apps that didn't work before either. Wanted to see if anyone has found another solution, or maybe knows why the below solution didn't work for me? I don't like the idea of lowered security levels.
    If you are using Windows 7 you can apply this update to avoid downgrading the allowed ssl versions on the server side:
    0
  • RetiredAF
    We were having this problem with Outlook 2013 and Window 7. The fix proposed in post 14 of this thread was suggested to us in a ticket we opened for the problem. With trial and error I was able to find a more specific answer to our problem which I'd like to share. [LIST]
  • From the default list of Options for OpenSSL of +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 I removed +no_tlsv1
  • To the default list of SSL/TLS Cipher Suite List I added ECDHE-RSA-AES256-SHA With it working I could see in the exim_mainlog "...X=TLSv1:ECDHE-RSA-AES256-SHA.." which confirms the protocol and cipher being used by Outlook 2013.
  • 0
  • abnet
    Once I switched to a newer server, I started having problems with sending email on a windows 7 machine with outlook. My research lead me to: - WHM/Exim default no longer supported older ciphers Searching for that issue lead me to: - Windows has a patch and registry change to enable TLS 1.2 I did that, and it fixed getting emails, yet outlook was still not sending mail. I then went into account settings under connections where you set the in/out ports, the outgoing port was 465 and the encryption setting was TLS. I changed that to SSL and it now sends emails. I couldn't reply with this to existing threads because "over 1 year old"... stupid. So posting new.
    0
  • nosajix
    I am having a hard time understanding this. Obviously telling my clients they need to upgrade their less than 5 year old software and evenein some case hardware to use their domain based email hosted with cpanel is CRAZY - I mean especially when they still can load in any gmail, outlook.com, yahoo, apple, Veriizon, ect ect email into the sames mail clients without any issue. I mean, they obviously arent using TLS1 are they? What gives? What advice can you give me? I know I can simply enable TLS1 and change the cipher list inithe mailserver config but does that not severely reduce security? Not to mention PCI Compliance? My real question here though is why is this only a problem with cpanel mail? -Jason
    0
  • nosajix
    I get why we use Tls1.2, I don't get why the other major mail providers can still be used with those clients that cpanel mail doesn't work with. Surely they aren't using tls1.0...
    0
  • nosajix
    Also I would comment on the link you posted but comments are closed there.
    0
  • sparek-3
    What other "major mail providers" are you referring to? If you are referring to providers like Gmail, Outlook, Yahoo ... those are all webmail service providers. With webmail, your browser functions as the client. A check of gmail's website shows that it still supports TLSv1 and TLSv1.1 - so that connection isn't necessarily as secure as you think it is.
    0
  • nosajix
    What other "major mail providers" are you referring to? If you are referring to providers like Gmail, Outlook, Yahoo ... those are all webmail service providers. With webmail, your browser functions as the client. A check of gmail's website shows that it still supports TLSv1 and TLSv1.1 - so that connection isn't necessarily as secure as you think it is.

    Yes, but you can use smtp/imap with them using these programs (outlook, apple mail etc.) when you cant use cpanel email because they dont support TLS1.2
    0

Please sign in to leave a comment.