ssl_min_protocol appears to be ignored?
Hi, I'm trying to enable TLS1.0 support for an old client. Per dovecot -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.2 () # OS: Linux 5.4.0-107-generic x86_64 Ubuntu 20.04.4 LTS ext4 # Hostname:
In 10-ssl.conf, I have set
ssl_min_protocol = TLSv1
(It doesn't show in dovecot -n, I suspect because it's equal to default value?) I restarted dovecot with systemctl. Then, from another machine,
openssl s_client -connect zeserver.com:993 -tls1
fails with this output:
CONNECTED(00000003) 140166917489984:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 7 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
The same command with -tls1_2 works as intended (certificate printing, imap prompt).
Am I forgetting something somewhere, or is this an actual bug?
You may need to add to your ssl_cipher_list
ssl_cipher_list = ALL:@SECLEVEL=1
I am not 100% certain why but the @SECLEVEL=1 addition unlocks several ciphers that I've found to be required for TLSv1 to work
On Tue, 12 Apr 2022 14:32:43 -0500 Myriam Luce luce.myriam@gmail.com wrote:
Hi, I'm trying to enable TLS1.0 support for an old client. Per dovecot -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.2 () # OS: Linux 5.4.0-107-generic x86_64 Ubuntu 20.04.4 LTS ext4 # Hostname:
In 10-ssl.conf, I have set
ssl_min_protocol = TLSv1
(It doesn't show in dovecot -n, I suspect because it's equal to default value?) I restarted dovecot with systemctl. Then, from another machine,
openssl s_client -connect zeserver.com:993 -tls1
fails with this output:
CONNECTED(00000003) 140166917489984:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 7 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
The same command with -tls1_2 works as intended (certificate printing, imap prompt).
Am I forgetting something somewhere, or is this an actual bug?
running dovecot 2.3.18 (current)
can do connection test
# openssl s_client -connect localhost:993 -tls1 CONNECTED(00000003) write:errno=0
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 104 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1649941141 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no
and worked ok
currently i hve the min version remmed out?
ssl = yes verbose_ssl = yes ssl_dh =
#ssl_min_protocol = TLSv1.2*
On 4/12/2022 3:32 PM, Myriam Luce wrote:
Hi, I'm trying to enable TLS1.0 support for an old client. Per dovecot -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-107-generic x86_64 Ubuntu 20.04.4 LTS ext4 # Hostname:
In 10-ssl.conf, I have set
ssl_min_protocol = TLSv1
(It doesn't show in dovecot -n, I suspect because it's equal to default value?) I restarted dovecot with systemctl. Then, from another machine,
openssl s_client -connect zeserver.com:993 -tls1
fails with this output:
CONNECTED(00000003) 140166917489984:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 7 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
The same command with -tls1_2 works as intended (certificate printing, imap prompt).
Am I forgetting something somewhere, or is this an actual bug?
participants (3)
-
Myriam Luce
-
Paul Kudla (SCOM.CA Internet)
-
Shaun Johnson