Dovecot 2.3.0 TLS

Jean-Daniel Dupas jddupas at xooloo.com
Fri Jul 19 12:19:35 EEST 2019



> Le 18 juil. 2019 à 11:21, Alexandre Urban via dovecot <dovecot at dovecot.org> a écrit :
> 
> Hello,
>  
> I don’t know who will read this message, but I found this thread: https://www.mail-archive.com/search?l=dovecot@dovecot.org&q=subject:%22Dovecot+2.3.0+TLS%22&o=newest
> And I’m expected the same issue, I will try to explain to you (english is not my native language, sorry)
>  
> Since Buster update, so Dovecot update too, I’m not able to connect to my mail server from my iOS mail client (12.2)
> Thunderbird just work fine.
>  
> Here is my configuration:
>  
> Debian Buster (amd64)
> Dovecot: 2.3.4.1
> Postfix : 3.4.5
> OpenSSL: 1.1.1c
>  
> Dovecot configuration file:
>  
> ssl_min_protocol = TLSv1.2 (I tried different version)
>  
> When I tried to connect with command line: openssl s_client -showcerts -connect server:993
>  
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2322 bytes and written 392 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 21 (unable to verify the first certificate)
>  
> When I tried to connect with command line: openssl s_client -showcerts -no_tls1_3 -connect server:993
>  
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2423 bytes and written 310 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>  
> I think the “Secure Renegotiation IS NOT supported” with tls 1.3 could be an issue, but I don’t what to do to fix the issue ?
>  
> Could you help me ?
> Let me know if you need more informations.
>  

I would rather look at the "Verify return code: 21 (unable to verify the first certificate)" error. 
Is your TLS certificat valid and trusted on your iOS device ?

IIRC, "Secure Renegotiation" is explicitly not supported by TLS1.3 (TLS1.3 forbids any renegotiation).



More information about the dovecot mailing list