<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 20/07/2019 13:12 Reio Remma via dovecot <
<a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On 19.07.2019 0:24, Reio Remma via dovecot wrote:
</div>
<blockquote type="cite">
<div>
I'm attempting to get Dovecot working with MySQL user database on
</div>
<div>
another machine. I can connect to the MySQL (5.7.26) instance with SSL
</div>
<div>
enabled:
</div>
</blockquote>
<blockquote type="cite">
<div>
mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
</div>
<div>
--ssl-cert=/etc/dovecot/client-cert.pem
</div>
<div>
--ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
</div>
<div>
-u vmail -p
</div>
</blockquote>
<blockquote type="cite">
<div>
However if I use the same values in dovecot-sql.conf.ext, I get the
</div>
<div>
following error:
</div>
</blockquote>
<blockquote type="cite">
<div>
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
</div>
<div>
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
</div>
<div>
error: protocol version mismatch - waiting for 1 seconds before retry
</div>
<div>
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
</div>
<div>
mysql(db.mrst.ee): Connect failed to database (vmail): Connections
</div>
<div>
using insecure transport are prohibited while
</div>
<div>
--require_secure_transport=ON. - waiting for 5 seconds before retry
</div>
</blockquote>
<blockquote type="cite">
<div>
Database connection string:
</div>
</blockquote>
<blockquote type="cite">
<div>
connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
</div>
<div>
ssl_ca=/etc/dovecot/ca.pem \
</div>
<div>
ssl_cert=/etc/dovecot/client-cert.pem \
</div>
<div>
ssl_key=/etc/dovecot/client-key.pem \
</div>
<div>
ssl_cipher=DHE-RSA-AES256-SHA
</div>
</blockquote>
<div>
Update: I got it to connect successfully now after downgrading the MySQL
</div>
<div>
server tls-version from TLSv1.1 to TLSv1.
</div>
<div>
<br>
</div>
<div>
Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
</div>
<div>
<br>
</div>
<div>
Thanks!
</div>
<div>
Reio
</div>
</blockquote>
<div>
<br>
</div>
<div>
Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions.
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>