TLS problem after upgrading from v2.2 to v2.3
Goetz Schultz
email at suelze.de
Sat Jan 6 00:52:54 EET 2018
Hi,
what are your settings?
Mine are below and they work just fine:
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SS
Lv2:!SSLv3
Thanks and regards
Goetz R. Schultz
On 04/01/18 18:56, Jan Vejvalka wrote:
> Hi *,
>
> The change in default SSL settings between 2.2 and 2.3 cut off a few
> clients; Microsoft-hosted Exchange (?) being one of them:
>
> Jan 4 11:02:56 kremail dovecot: pop3-login: Disconnected (no auth
> attempts in 0 secs): user=<>, rip=40.101.4.hisip, lip=myip, TLS
> handshaking: SSL_accept() failed: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<8SGob/BhTdcoZQS1>
>
> Explicitly setting ssl_cipher_list to the old defaults helped:
> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
>
> Does someone have an idea what to recommend to the poor user or should
> I accept that I stay with the old defaults ? The guy is cooperative, so
> we can find out which of the !'s in the new defaults actually breaks the
> connection... if you think it's worth.
>
> Thanks for your help,
>
> Jan
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180105/ed3b0b00/attachment.sig>
More information about the dovecot
mailing list