# SSL_accept:failed in SSLv3 read client key [SOLVED]

## Zubziro

Hi all,

Recently (don't know for sure 1 month ago) users of hotmail.com is no longer able to send mail messages to my postfix server.

For everybody else it's perfectly working (google, yahoo, facebook... etc... etc...)

(I'm using STARTTLS)

(I'm using self sign certificate)

In my mail logs I can see: 

```
Oct 20 19:25:50 nas postfix/smtpd[8326]: SSL_accept:SSLv3 flush data

Oct 20 19:25:50 nas postfix/smtpd[8326]: SSL_accept:SSLv3 read client certificate A

Oct 20 19:25:50 nas postfix/smtpd[8326]: read from 55AA0CC7E850 [55AA0CC8E573] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))

Oct 20 19:25:50 nas postfix/smtpd[8326]: read from 55AA0CC7E850 [55AA0CC8E573] (5 bytes => 0 (0x0))

Oct 20 19:25:50 nas postfix/smtpd[8326]: SSL_accept:failed in SSLv3 read client key exchange A

Oct 20 19:25:50 nas postfix/smtpd[8326]: SSL_accept error from mail-oln040092069025.outbound.protection.outlook.com[40.92.69.25]: lost connection

Oct 20 19:25:50 nas postfix/smtpd[8326]: lost connection after STARTTLS from mail-oln040092069025.outbound.protection.outlook.com[40.92.69.25]

Oct 20 19:25:50 nas postfix/smtpd[8326]: disconnect from mail-oln040092069025.outbound.protection.outlook.com[40.92.69.25] ehlo=1 starttls=0/1 commands=1/2

```

I don't even know where to begin digging, any clue? (yes I tried google)

Postfix TLS config is pretty standard:

```

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/bla/private/bla.pem

smtpd_tls_cert_file = /etc/ssl/bla/cert-bla.pem

smtpd_tls_CAfile = /etc/ssl/bla/cert-root-bla.pem

smtpd_tls_loglevel = 9

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

```

Thanks for advice.

/zubziroLast edited by Zubziro on Sat Oct 21, 2017 5:23 pm; edited 1 time in total

----------

## cdstealer

Hi,  I may be wrong here, but when I have dealt with this error in the (recent) past, it was to do with the version of TLS in use.

eg.  "An App" using TLSv1.2 connecting to "A Server" using TLSv1

So it *could* be Hotmail running an old (unsupported) version of TLS.  You may be able to work around it by enabling TLSv1 support in Postfix as I suspect it will be disabled due to security reasons.

CD

----------

## toralf

```
SSL_accept:SSLv3 flush data 
```

sslv3 (aka TLS 1.0) is long deprecated - is switching to a newer TLS at least 1.1 an option ?

----------

## Zubziro

 *cdstealer wrote:*   

> Hi,  I may be wrong here, but when I have dealt with this error in the (recent) past, it was to do with the version of TLS in use.
> 
> eg.  "An App" using TLSv1.2 connecting to "A Server" using TLSv1
> 
> So it *could* be Hotmail running an old (unsupported) version of TLS.  You may be able to work around it by enabling TLSv1 support in Postfix as I suspect it will be disabled due to security reasons.
> ...

 

Thanks! 

I'm got it working by specifically enabling TLSv1.

```

smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1

```

Still strange that hotmail uses this old version.

/byeLast edited by Zubziro on Sat Oct 21, 2017 7:03 pm; edited 1 time in total

----------

## cdstealer

Nice one   :Very Happy: 

----------

