From: Jamie C. <jca...@we...> - 2015-02-27 22:55:56
|
On 27/Feb/2015 01:31 Pat Erler <pe...@gm...> wrote .. > after changing the SSL cert for dovecot via virtualmin (in the SSL secrion > of a domain you have the button "copy to dovecot' or so..) pop/imap logins > have been denied and the log showed: > > Feb 27 10:22:39 host dovecot: pop3-login: Error: SSL: Stacked error: > error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command > Feb 27 10:22:39 host dovecot: pop3-login: Fatal: Can't set cipher list to > 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eN > ULL:!NULL:!DH:!ADH:!EDH:!AESGCM': error:140E6118:SSL > routines:SSL_CIPHER_PROCESS_RULESTR:invalid command > > the last two lines in /etc/dovecot/dovecot.d/10-ssl.conf was > > # SSL ciphers to use > #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > ssl_cipher_list = > ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM > > the offending one was the last one, I commented it and commented out the > one above and it works now, but I think the last line was added for a > reason. could you check, jamie? > > latest virtualmin, ubuntu 12.04 This looks to happen because Webmin tries to set the Dovecot cipher list when you copy the cert if none is set yet, to add protection against unsafe ciphers. However, it looks like the ciphers Webmin accepts don't necessarily work with Dovecot, which is odd. Are you saying that removing just !AESGCM from the cipher list fixed this? - Jamie |