(SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

A lot of Web Hosting providers only allow newer versions of TLS ciphers to be used, so only will be available:

+no_sslv2 +no_sslv3

This is good security practice and should be followed on every cPanel setup. But if you have clients that use older versions of Outlook that use tlsv1/1.1 this will cause an error when they try to connect to email accounts:

SSL Connection has failed.

exim_mainlog:

exim_mainlog:2022-09-09 18:02:10 SMTP connection from [10.20.30.40]:51785 (TCP/IP connection count = 2)
exim_mainlog:2022-09-09 18:02:10 TLS error on connection from 10-020-030-040.pcx3.com (PCx3) [10.20.30.40]:51785 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
exim_mainlog:2022-09-09 18:02:10 SMTP connection from 10-020-030-040.pcx3.com (PCx3) [10.20.30.40]:51785 closed by EOF

Solution

The recommended solution is for the end-user to update its email client, but if this is not an option, you can enable the use of the older TLS ciphers on cPanel from: WHM > Service Configuration > Exim Configuration Manager > Advanced Editor

Bear in mind that this is a server-wide setting and will affect all cPanel users.

Possible options:

• all
• allow_unsafe_legacy_renegotiation
• cipher_server_preference
• dont_insert_empty_fragments
• ephemeral_rsa
• legacy_server_connect
• microsoft_big_sslv3_buffer
• microsoft_sess_id_bug
• msie_sslv2_rsa_padding
• netscape_challenge_bug
• netscape_reuse_cipher_change_bug
• no_compression
• no_session_resumption_on_renegotiation
• no_sslv2
• no_sslv3
• no_ticket
• no_tlsv1
• no_tlsv1_1
• no_tlsv1_2
• single_dh_use
• single_ecdh_use
• ssleay_080_client_dh_bug
• sslref2_reuse_cert_type_bug
• tls_block_padding_bug
• tls_d5_bug
• tls_rollback_bug