cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4787
Views
0
Helpful
4
Replies

TLS failed: (336142563, 'error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext')

Tony Kilbarger
Level 1
Level 1

Since moving from x1060 running 7.6.1 to C680 with 9.7.1, we are getting this error for one specific destination.  We have TLS required with this domain,

TLS failed: (336142563, 'error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext')

1 Accepted Solution

Accepted Solutions

Robert Sherwin
Cisco Employee
Cisco Employee

Known issue: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva00454?emailclick=CNSemail

Alert Type:

New

Bug Id:

CSCva00454

Title:

Elliptic curves extension in server hello is not tolerated by CiscoSSL

Status:

Open

Severity:

3 Moderate

Description:

Symptom:
When delivering via TLS to certain domains, you may find errors such as the following in the mail logs:

Wed Jun 8 09:00:00 2016 Info: DCID 12345 TLS failed: (336142563, 'error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext')

Emails to these domains will be unable to be delivered over TLS

Conditions:
This issue occurs when the following criteria are met:

1) The ESA is configured to allow elliptic curve Diffie-Hellman (ECDH) ciphers
2) The receiving MTA accepts ECDH ciphers and tried to negotiate one
3) The receiving MTA includes the elliptic curves extension in the server hello

NOTE: The inclusion of the elliptic curves extension in the server hello is technically against the RFC4492 specification (this is intended only as a client hello extension).

Workaround:
There are two options for working around this issue:

1) Disable TLS in Destination Controls for domains that have this issue
2) Add the following to the end of your outbound cipher specification in the 'sslconfig' CLI command: -ECDH

Further Problem Description:

Last Modified:

09-JUN-2016

Known Affected Releases:

10.0.0-082, 9.7.1-066

Known Fixed Releases:

View solution in original post

4 Replies 4

exMSW4319
Level 3
Level 3

Tony, I can't help as we're only at the stage of considering implementing TLS ourselves, but it begs the interesting question of how one independently tests a recipient domain to see what level of encryption it actually supports.

Question for the forum: those of us managing WSAs and their ilk are familiar with throwing domains at Qualys SSL Labs to see what's wrong with them, but what's the equivalent for an ESA?

www.checktls.com provides a good deal of information you may bee looking for,  We use it when considering domains to set up required TLS with.

Robert Sherwin
Cisco Employee
Cisco Employee

Known issue: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva00454?emailclick=CNSemail

Alert Type:

New

Bug Id:

CSCva00454

Title:

Elliptic curves extension in server hello is not tolerated by CiscoSSL

Status:

Open

Severity:

3 Moderate

Description:

Symptom:
When delivering via TLS to certain domains, you may find errors such as the following in the mail logs:

Wed Jun 8 09:00:00 2016 Info: DCID 12345 TLS failed: (336142563, 'error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext')

Emails to these domains will be unable to be delivered over TLS

Conditions:
This issue occurs when the following criteria are met:

1) The ESA is configured to allow elliptic curve Diffie-Hellman (ECDH) ciphers
2) The receiving MTA accepts ECDH ciphers and tried to negotiate one
3) The receiving MTA includes the elliptic curves extension in the server hello

NOTE: The inclusion of the elliptic curves extension in the server hello is technically against the RFC4492 specification (this is intended only as a client hello extension).

Workaround:
There are two options for working around this issue:

1) Disable TLS in Destination Controls for domains that have this issue
2) Add the following to the end of your outbound cipher specification in the 'sslconfig' CLI command: -ECDH

Further Problem Description:

Last Modified:

09-JUN-2016

Known Affected Releases:

10.0.0-082, 9.7.1-066

Known Fixed Releases:

Thank you sir.  Hopefully a future release will allow the ESA to handle the extension gracefully in a future release so we don't need to restrict from using these cipher's.