DirectAdmin Knowledge Base and Support

DirectAdmin is a web panel for a simple administration of both virtual and dedicated servers. DirectAdmin is faster, safe and more powerful than any other CP. And we know how to customize and support it.

Fixing SSL routines error SSL23_GET_CLIENT_HELLO:unknown protocol

| 02:33:46 20.02.2020

Last-updated: 2023-02-22

If PHP scripts running under an old version of the language fail to connect to SMTP server under Directadmin, and in logs can you see lines containing "TLS error on connection from hostname":

2020-02-20 00:30:02 TLS error on connection from localhost ( [] (SSL_accept):
 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

or even:

2021-08-10 20:30:40 TLS error on connection from [] (SSL_accept): 
 error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher

here is a possible fix for Exim managed by DirectAdmin.

Re-creating a certificate using sha256WithRSAEncryption

Some old mail servers which communicate with yours might not like modern signature algorithm such as EC 256 bits (ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512), hence the error might occur.

So you will need to re-create a certificate for a hostname at least. If you use free certificates from Let's Encrypt, then run the following command as root to create a certificate with a sha256WithRSAEncryption signature algorithm:

/usr/local/directadmin/scripts/ request $(hostname -f) 4096

Give a couple of minutes to services to restart, and then try sending an email. If it does not help, then check the further instructions.

Enabling TLSv1.0 and TLSv1.1 in Exim

For this run as root:

touch /etc/exim.variables.conf.custom
echo 'openssl_options = +no_sslv2 +no_sslv3' >> /etc/exim.variables.conf.custom
echo 'tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' >> /etc/exim.variables.conf.custom
cd /usr/local/directadmin/custombuild/ ./build update ./build exim_conf

For CentOS 8

You might need to use the following set (instead of one specified above):

openssl_options = +no_sslv2 +no_sslv3
tls_require_ciphers = ALL:!ADH:!RC4:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

in /etc/exim.variables.conf.custom, and even run:

update-crypto-policies --set LEGACY

as root in the server's console. When running the command you might see the following:

[ ~]# update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[ ~]#

And that's OK.

Restart exim:

systemctl restart exim


Please note TLSv1.0 and TLSv1.1 are considered to be deprecated and insecure. And if enabling them is the only possible solution for you, then you do it only on your own risk.

That's it.

About Us
We are a team of professionals, and specialize in installation, configuring and managing of remote virtual and dedicated servers powered by Linux/Unix-like OS with DirectAdmin. We support various sets of software, including web-servers Apache, Nginx; internet domain name servers Bind, PowerDNS; mail-servers with POP3, IMAP and SMTP, FTP-servers, etc. After years of working through the most complex server challenges our team has gathered valuable experience and universal solutions suitable for everyday tasks. We are here to lend you a helping hand and take care of your servers in order to let you have enough time to do more of what you love.

All of the information and data on this site is for informational purposes only and is provided for the convenience of the user.
Powered by: Amiro.CMS - Free edition