Good day,
With the latest HM version 14.28 we get an error with some POP3 tests connecting to 3rd party servers. The error is
276: Failed to verify key exchange signature
HM is running on Windows 10. It works ok using HM version 13.80. We already tried sslProto_POP3 in Misc section but none of the values are solving the issue.
Are there any other settings we can try?
Thanks for any suggestions.
Best regards
Michael
POP3 test failed
Probably some old weak cipher suites are not supported anymore.
What exactly algorithms supported on the server?
>Are there any other settings we can try?
I think its a good idea to update old software on server side..
If not possible, then tell us what TLS versions supported on your server, what ciphers supported (key exchange, signature algorithms), may be we can enable old cipher or add some option.
Regards
Alex
What exactly algorithms supported on the server?
>Are there any other settings we can try?
I think its a good idea to update old software on server side..
If not possible, then tell us what TLS versions supported on your server, what ciphers supported (key exchange, signature algorithms), may be we can enable old cipher or add some option.
Regards
Alex
Hi Alex,
Thanks for the info. We checked further and the problem seems to be only happening when the POP3-Server is running on Windows Server 2022. We connected to the POP3-Server using OpenSSL and the connection shows following information:
TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
When the same POP3-Server is running on "Windows Server 2019" it works fine and OpenSSL shows the same TLS and Cipher.
Will also check with the developer of the POP3-Server if there are any updates available.
Best regards
Michael
Thanks for the info. We checked further and the problem seems to be only happening when the POP3-Server is running on Windows Server 2022. We connected to the POP3-Server using OpenSSL and the connection shows following information:
TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
When the same POP3-Server is running on "Windows Server 2019" it works fine and OpenSSL shows the same TLS and Cipher.
Will also check with the developer of the POP3-Server if there are any updates available.
Best regards
Michael
Yes, when OpenSSL is not used but Windows API is used for encryption then result depends on Windows version (and settings).
But Windows 2022 supports ECDHE-RSA-AES256-GCM-SHA384
https://learn.microsoft.com/en-us/windo ... erver-2022
Could you check SSL Cipher Suite Order group policy setting using gpedit.msc?
Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings -> SSL Cipher Suite Order
Also TLS 1.2 should be enabled in HostMonitor settings. TLS 1.2 enabled by default or when you set sslProto_POP3 parameter to
- 2048 (just TLS 1.2)
- 2560 (TLS 1.1 and 1.2)
- 10752 (TLS 1.1, 1.2, 1.3)
In HostMonitor 13.80 by default enabled SSL3, TLS1, TLS1.1 and TLS1.2
In HostMonitor 14.00 by default enabled TLS1.1, TLS1.2, TLS 1.3
Have you tried to set sslProto_POP3 parameter to 2720 (like old HM 13.80)?
This will not help if server really supports TLS 1.2 but this may help if server does not support TLS 1.2 and even TLS 1.1 while supports really old protocols.
Note: you have to restart HostMonitor when you making such changed
Regards
Alex
But Windows 2022 supports ECDHE-RSA-AES256-GCM-SHA384
https://learn.microsoft.com/en-us/windo ... erver-2022
Could you check SSL Cipher Suite Order group policy setting using gpedit.msc?
Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings -> SSL Cipher Suite Order
Also TLS 1.2 should be enabled in HostMonitor settings. TLS 1.2 enabled by default or when you set sslProto_POP3 parameter to
- 2048 (just TLS 1.2)
- 2560 (TLS 1.1 and 1.2)
- 10752 (TLS 1.1, 1.2, 1.3)
In HostMonitor 13.80 by default enabled SSL3, TLS1, TLS1.1 and TLS1.2
In HostMonitor 14.00 by default enabled TLS1.1, TLS1.2, TLS 1.3
Have you tried sslProto_POP3=2560?We already tried sslProto_POP3 in Misc section but none of the values are solving the issue.
Have you tried to set sslProto_POP3 parameter to 2720 (like old HM 13.80)?
This will not help if server really supports TLS 1.2 but this may help if server does not support TLS 1.2 and even TLS 1.1 while supports really old protocols.
Note: you have to restart HostMonitor when you making such changed
Regards
Alex
Hi Alex,
Thanks for the detailed information. The SSL Cipher Suite Order group policy is not configured.
I can confirm it works fine with HM14 when using sslProto_POP3 with 2048 or 2560. It fails with 10752. The POP3 Server we are connecting to does not support TLS1.3 yet, so it looks like HM tries to use the highest available TLS version from its configuration for some reason. Maybe the POP3 Server does not announce its available TLS version during connection...
So we use one of working settings for now.
Thanks again for your assistance.
Best regards
Michael
Thanks for the detailed information. The SSL Cipher Suite Order group policy is not configured.
I can confirm it works fine with HM14 when using sslProto_POP3 with 2048 or 2560. It fails with 10752. The POP3 Server we are connecting to does not support TLS1.3 yet, so it looks like HM tries to use the highest available TLS version from its configuration for some reason. Maybe the POP3 Server does not announce its available TLS version during connection...
So we use one of working settings for now.
Thanks again for your assistance.
Best regards
Michael