Marius Schwarz
2021-Jan-07 16:31 UTC
2.3.13: newly introduced TLS bug : tls_construct_server_key_exchange
Hi, since the update from 2.3.11 to 2.3.13 some clients generate this bug : TLS handshaking: SSL_accept() failed: error:141EC044:SSL routines:tls_construct_server_key_exchange:internal error As it looks for now, they use the old SSL approach on Ports 993 and 995. SSL Config says: ssl = yes ssl_cert = </etc/pki/tls/certs/exim.pem ( Lets Encrypt R3 based cert ) ssl_key = </etc/pki/tls/private/exim.pem ssl_dh_parameters_length = 2048 ssl_dh= </etc/dovecot/dh.pem ssl_cipher_list = PROFILE=SYSTEM OS: Fedora 32 X86_64 Ext4 file storage on local disks Versions: dovecot-2.3.13-1.fc32.x86_64 openssl-1.1.1i-1.fc32.x86_64 best regards, Marius Schwarz -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20210107/bb56e164/attachment-0001.html>
Marius Schwarz
2021-Jan-07 22:38 UTC
Update: 2.3.13: newly introduced TLS bug : tls_construct_server_key_exchange
Am 07.01.21 um 17:31 schrieb Marius Schwarz:> Versions: > dovecot-2.3.13-1.fc32.x86_64 > openssl-1.1.1i-1.fc32.x86_64 >Fedora released? dovecot-2.3.13-2.fc32.x86_64, which seems to fix the issue. best regards, Marius Schwarz -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20210107/4956f5ea/attachment.html>
Michal Hlavinka
2021-Jan-08 11:11 UTC
2.3.13: newly introduced TLS bug : tls_construct_server_key_exchange
Hard to say without reproducer and more information, but I think it was a downstream bug. There was configuration error in 2.3.13-1 build. I'm not sure how exactly it could cause this error, but I did not see any report for the new build so far. On 07. 01. 21 17:31, Marius Schwarz wrote:> > Hi, > > since the update from 2.3.11 to 2.3.13 some clients generate this bug : > > TLS handshaking: SSL_accept() failed: error:141EC044:SSL routines:tls_construct_server_key_exchange:internal error > > As it looks for now, they use the old SSL approach on Ports 993 and 995. > > SSL Config says: > > ssl = yes > ssl_cert = </etc/pki/tls/certs/exim.pem ( Lets Encrypt R3 based cert ) > ssl_key = </etc/pki/tls/private/exim.pem > ssl_dh_parameters_length = 2048 > ssl_dh= </etc/dovecot/dh.pem > ssl_cipher_list = PROFILE=SYSTEM > > > OS: Fedora 32 X86_64 > Ext4 file storage on local disks > > Versions: > > dovecot-2.3.13-1.fc32.x86_64 > openssl-1.1.1i-1.fc32.x86_64 > > > > best regards, > Marius Schwarz