Exim - CentOS 8 - решение ошибки TLS error on connection (SSL accept (TLSv1)): error:14209102:SSL routines:tls early post process client hello:unsupported protocol
Материал из Wiki - Iphoster - the best ever hosting and support. 2005 - 2024
Версия от 17:44, 15 декабря 2020; Admin iph (обсуждение | вклад)
Exim - CentOS 8 - решение ошибки TLS error on connection (SSL accept (TLSv1)): error:14209102:SSL routines:tls early post process client hello:unsupported protocol
При отправке почты можно получить сообщение в exim про ошибку
$ tail -f /var/log/exim/main.log TLS error on connection from (site.ru) )SSL_accept (TLSv1)): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Она означает, что скрипт использует старые протоколы: TLS 1.0, TLS 1.1, а в CentOS 8 они запрещены по-умолчанию политикой DEFAULT.
Все крипто-политики для CentOS 8 тут: https://access.redhat.com/articles/3642912
- LEGACY This policy ensures maximum compatibility with legacy systems; it is less secure and it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. - DEFAULT The DEFAULT policy is a reasonable default policy for today's standards, aimed for a balance between usability and security. It allows the TLS 1.2 and 1.3 protocols, as well as IKEv2 and SSH2. The RSA and Diffie-Hellman parameters are accepted if larger than 2047-bits. - FUTURE A conservative security level that is believed to withstand any near-term future attacks. The purpose of the policy is for testing infrastructure and applications for their readiness for future strengthening of requirements. The policy is not supposed to be used for general purpose systems. This level does not allow the use of SHA-1 in signature algorithms. The RSA and Diffie-Hellman parameters are accepted if larger than 3071-bits. - FIPS A level that conforms to the FIPS140-2 requirements. This policy is used internally by the fips-mode-setup tool which can switch the RHEL system into FIPS140 mode.
решение для CentOS 8 - это изменить крипто-политику с DEFAULT на LEGACY командой:
$ update-crypto-policies --set LEGACY
Перезагружать exim при этом не требуется. Отправка писем заработает сразу.