This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos EAS no cipher suites in common

Hello all,

I have been using Sophos EAS on premise for a few years now to allow employees to use Sophos Secure Mail. The last few years I have not encountered any problems when renewing my certificate in the EAS proxy as well as on Exchange. Since the last renewal I get now unfortunately the following error:

2023-02-02 16:02:47.157 [nioEventLoopGroup-3-4] ERROR InboundHandler_neueralsneu - Exception on channel -356888948 remoteAddr: null localAddr: 0.0.0.0/0.0.0.0:443: javax.net.ssl.SSLHandshakeException: no cipher suites in common

With Keytools I have looked at the corresponding certificate stores of the Java instance of the EAS Proxy and I can say that my root CA is included. In addition I can see that my used encryption method is included in the config: ECDHE-RSA-AES128-GCM-SHA256 - This is also a common method.

What I can't tell exactly is if the error message refers to the connection between client and EAS or to the connection between EAS and Exchange.

Maybe someone here has an approach that helps me.

Thanks in advance
Stephan



This thread was automatically locked due to age.
Parents
  • Thank you for reaching the community forum.

    May we know which email client you're currently using for this? Have you tried adding the self-signed server certificate as a Root CA to a policy and distributing it as part of the policy?

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Thank you for reaching the community forum.

    May we know which email client you're currently using for this? Have you tried adding the self-signed server certificate as a Root CA to a policy and distributing it as part of the policy?

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Hi,

    we only use the Sophos app together with Sophos Mobile Control and secure workspace. However, we only use the approach that devices are used in "private" mode and not as a company device.
    I have never distributed a certificate via the policy.

    do I understand correctly that you mean the following point: Sophos Central --> Mobile --> Policies --> Android --> add configuration --> certificates ?

    Thanks for the quick feedback!

    Stephan

    Edit:
    I have included the easproxy_cert.crt at the point mentioned and rolled it out to my device. To be on the safe side I have also added the following certificates(matching our included certificate in eas proxy):

    C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
    C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

    8unfortunately I still get the same error message!

  • I have now solved the problem for me by putting a WAF in front of the EAS proxy that presents my wildcard certificate.

    It is not directly a solution to the problem but does not make the construct worse!

    Thanks for the approach, it gave me the idea.

  • Hello Prifesport,

    I'm glad to hear that you can solve your existing issues. I will mark your response as a suggested answer for other customers to reference what you've done if they ever encounter the same. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids