Hello,
I don't know who will read this message, but I found this thread: https://www.mail-archive.com/search?l=dovecot@dovecot.org&q=subject:%22Dovecot+2.3.0+TLS%22&o=newest And I'm expected the same issue, I will try to explain to you (english is not my native language, sorry)
Since Buster update, so Dovecot update too, I'm not able to connect to my mail server from my iOS mail client (12.2) Thunderbird just work fine.
Here is my configuration:
Debian Buster (amd64) Dovecot: 2.3.4.1 Postfix : 3.4.5 OpenSSL: 1.1.1c
Dovecot configuration file:
ssl_min_protocol = TLSv1.2 (I tried different version)
When I tried to connect with command line: openssl s_client -showcerts -connect server:993
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 2322 bytes and written 392 bytes Verification error: unable to verify the first certificate
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate)
When I tried to connect with command line: openssl s_client -showcerts -no_tls1_3 -connect server:993
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 2423 bytes and written 310 bytes Verification error: unable to verify the first certificate
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384
I think the "Secure Renegotiation IS NOT supported" with tls 1.3 could be an issue, but I don't what to do to fix the issue ?
Could you help me ? Let me know if you need more informations.
Thank you.
Regards,
Alex
Le 18 juil. 2019 à 11:21, Alexandre Urban via dovecot <dovecot@dovecot.org> a écrit :
Hello,
I don’t know who will read this message, but I found this thread: https://www.mail-archive.com/search?l=dovecot@dovecot.org&q=subject:%22Dovecot+2.3.0+TLS%22&o=newest And I’m expected the same issue, I will try to explain to you (english is not my native language, sorry)
Since Buster update, so Dovecot update too, I’m not able to connect to my mail server from my iOS mail client (12.2) Thunderbird just work fine.
Here is my configuration:
Debian Buster (amd64) Dovecot: 2.3.4.1 Postfix : 3.4.5 OpenSSL: 1.1.1c
Dovecot configuration file:
ssl_min_protocol = TLSv1.2 (I tried different version)
When I tried to connect with command line: openssl s_client -showcerts -connect server:993
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 2322 bytes and written 392 bytes Verification error: unable to verify the first certificate
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate)
When I tried to connect with command line: openssl s_client -showcerts -no_tls1_3 -connect server:993
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 2423 bytes and written 310 bytes Verification error: unable to verify the first certificate
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384
I think the “Secure Renegotiation IS NOT supported” with tls 1.3 could be an issue, but I don’t what to do to fix the issue ?
Could you help me ? Let me know if you need more informations.
I would rather look at the "Verify return code: 21 (unable to verify the first certificate)" error. Is your TLS certificat valid and trusted on your iOS device ?
IIRC, "Secure Renegotiation" is explicitly not supported by TLS1.3 (TLS1.3 forbids any renegotiation).
participants (2)
-
Alexandre Urban
-
Jean-Daniel Dupas