POP3 test failed

[James65]

Good day,
With the latest HM version 14.28 we get an error with some POP3 tests connecting to 3rd party servers. The error is

276: Failed to verify key exchange signature

HM is running on Windows 10. It works ok using HM version 13.80. We already tried sslProto_POP3 in Misc section but none of the values are solving the issue.

Are there any other settings we can try?
Thanks for any suggestions.

Best regards
Michael

[KS-Soft]

Probably some old weak cipher suites are not supported anymore.
What exactly algorithms supported on the server?

>Are there any other settings we can try?

I think its a good idea to update old software on server side..
If not possible, then tell us what TLS versions supported on your server, what ciphers supported (key exchange, signature algorithms), may be we can enable old cipher or add some option.

Regards
Alex

[James65]

Hi Alex,
Thanks for the info. We checked further and the problem seems to be only happening when the POP3-Server is running on Windows Server 2022. We connected to the POP3-Server using OpenSSL and the connection shows following information:

TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

When the same POP3-Server is running on "Windows Server 2019" it works fine and OpenSSL shows the same TLS and Cipher.

Will also check with the developer of the POP3-Server if there are any updates available.

Best regards
Michael

[KS-Soft]

Yes, when OpenSSL is not used but Windows API is used for encryption then result depends on Windows version (and settings).
But Windows 2022 supports ECDHE-RSA-AES256-GCM-SHA384
https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-server-2022

Could you check SSL Cipher Suite Order group policy setting using gpedit.msc?
Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings -> SSL Cipher Suite Order

Also TLS 1.2 should be enabled in HostMonitor settings. TLS 1.2 enabled by default or when you set sslProto_POP3 parameter to
- 2048 (just TLS 1.2)
- 2560 (TLS 1.1 and 1.2)
- 10752 (TLS 1.1, 1.2, 1.3)

In HostMonitor 13.80 by default enabled SSL3, TLS1, TLS1.1 and TLS1.2
In HostMonitor 14.00 by default enabled TLS1.1, TLS1.2, TLS 1.3

[James65]

Hi Alex,
Thanks for the detailed information. The SSL Cipher Suite Order group policy is not configured.
I can confirm it works fine with HM14 when using sslProto_POP3 with 2048 or 2560. It fails with 10752. The POP3 Server we are connecting to does not support TLS1.3 yet, so it looks like HM tries to use the highest available TLS version from its configuration for some reason. Maybe the POP3 Server does not announce its available TLS version during connection...
So we use one of working settings for now.
Thanks again for your assistance.

Best regards
Michael

[KS-Soft]

You are welcome.
We will check the code on our side as well..

Regards
Alex