ssl_min_protocol appears to be ignored?

Paul Kudla (SCOM.CA Internet) paul at scom.ca
Thu Apr 14 13:01:50 UTC 2022 

running dovecot 2.3.18 (current)

can do connection test

# openssl s_client -connect localhost:993 -tls1
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 104 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1
     Cipher    : 0000
     Session-ID:
     Session-ID-ctx:
     Master-Key:
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1649941141
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
     Extended master secret: no
---

and worked ok

currently i hve the min version remmed out?

ssl = yes
verbose_ssl = yes
ssl_dh =</usr/local/etc/dovecot/dh-4096.pem
ssl_prefer_server_ciphers = yes
*

#ssl_min_protocol = TLSv1.2*





On 4/12/2022 3:32 PM, Myriam Luce wrote:
>
> Hi, I'm trying to enable TLS1.0 support for an old client. Per dovecot -n
>
> # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.7.2 ()



> # OS: Linux 5.4.0-107-generic x86_64 Ubuntu 20.04.4 LTS ext4
> # Hostname:
>
> In 10-ssl.conf, I have set
>
> ssl_min_protocol = TLSv1
>
> (It doesn't show in dovecot -n, I suspect because it's equal to 
> default value?) I restarted dovecot with systemctl. Then, from another 
> machine,
>
> openssl s_client -connect zeserver.com:993 -tls1
>
> fails with this output:
>
> CONNECTED(00000003)
> 140166917489984:error:141E70BF:SSL 
> routines:tls_construct_client_hello:no protocols 
> available:../ssl/statem/statem_clnt.c:1112:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 7 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
>
> The same command with -tls1_2 works as intended (certificate printing, 
> imap prompt).
>
> Am I forgetting something somewhere, or is this an actual bug?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220414/839a4b7f/attachment.htm>

More information about the dovecot mailing list