ssl_min_protocol appears to be ignored?
Shaun Johnson
shaun at linuxmagic.com
Wed Apr 13 15:21:15 UTC 2022
You may need to add to your ssl_cipher_list
ssl_cipher_list = ALL:@SECLEVEL=1
I am not 100% certain why but the @SECLEVEL=1 addition unlocks several
ciphers that I've found to be required for TLSv1 to work
On Tue, 12 Apr 2022 14:32:43 -0500
Myriam Luce <luce.myriam at gmail.com> wrote:
> Hi, I'm trying to enable TLS1.0 support for an old client. Per
> dovecot -n
>
> # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.7.2 ()
> # OS: Linux 5.4.0-107-generic x86_64 Ubuntu 20.04.4 LTS ext4
> # Hostname:
>
> In 10-ssl.conf, I have set
>
> ssl_min_protocol = TLSv1
>
> (It doesn't show in dovecot -n, I suspect because it's equal to
> default value?) I restarted dovecot with systemctl. Then, from
> another machine,
>
> openssl s_client -connect zeserver.com:993 -tls1
>
> fails with this output:
>
> CONNECTED(00000003)
> 140166917489984:error:141E70BF:SSL
> routines:tls_construct_client_hello:no protocols
> available:../ssl/statem/statem_clnt.c:1112:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 7 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
>
> The same command with -tls1_2 works as intended (certificate
> printing, imap prompt).
>
> Am I forgetting something somewhere, or is this an actual bug?
>
More information about the dovecot
mailing list