On 15 Oct 2020, at 22:18, Brian Martin bmartin@silverflash.net wrote:
Eventually I came across one posting regarding a web server, that told me the OpenSSL libraries that Dovecot and lots of other packages use has a single configuration file for the entire system. In Ubuntu 20.04 it defaults to requiring TLSv1.2 or above. Changing the configuration for OpenSSL affects everything on the system using the library. I changed the file, restarted Dovecot, and it immediately accepted TLSv1 connections.
I believe current versions of OpenSSL have removed support for TLSv1 and TLSv1.1, so is your OpenSSL up-to-date?
The recommendation on this is clear, BTW:
https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html#rfc.s...
"TLSv1.0 MUST NOT be used. Negotiation of TLSv1.0 from any version of TLS MUST NOT be permitted."
…
"TLSv1.1 MUST NOT be used. Negotiation of TLSv1.1 from any version of TLS MUST NOT be permitted."
I removed support for TLSv1.1 quite some time ago (and T:Sv1.0 some time before that). People with older clients can use the webmail or their mobile devices, if their browser supports TLSv1.2 or TLSv1.3. I did have one Mac user who refused to upgrade his OS though his device supported it, but then was forced to in order to connect his iPhone, if I recall correctly.
Not sure what browsers support TLS 1.0 or 1.1 anymore, but I do know Google Chrome and Firefox dropped support some months back, though they might have rolled it back temporarily since so many government sites were not updated in the midst of the pandemic. (Not sure about this, but it seems I read something along these lines. I have no way of verifying as I moved everything off TLS1.1 and lower quite a while back.)
Anyone on a machine that will not support TLSv1.2 or TLSv1.3 is going to be having a very limited experience with the entirety of the Internet, not just with mail.
-- If you must choose between two evils, pick the one you've never tried before.