Hi, I'm trying to enable TLS1.0 support for an old client. Per dovecot -n # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.2 () # OS: Linux 5.4.0-107-generic x86_64 Ubuntu 20.04.4 LTS ext4 # Hostname: In 10-ssl.conf, I have set ssl_min_protocol = TLSv1 (It doesn't show in dovecot -n, I suspect because it's equal to default value?) I restarted dovecot with systemctl. Then, from another machine, openssl s_client -connect zeserver.com:993 -tls1 fails with this output: CONNECTED(00000003) 140166917489984:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 7 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- The same command with -tls1_2 works as intended (certificate printing, imap prompt). Am I forgetting something somewhere, or is this an actual bug?
You may need to add to your ssl_cipher_list ssl_cipher_list = ALL:@SECLEVEL=1 I am not 100% certain why but the @SECLEVEL=1 addition unlocks several ciphers that I've found to be required for TLSv1 to work On Tue, 12 Apr 2022 14:32:43 -0500 Myriam Luce <luce.myriam at gmail.com> wrote:> Hi, I'm trying to enable TLS1.0 support for an old client. Per > dovecot -n > > # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.7.2 () > # OS: Linux 5.4.0-107-generic x86_64 Ubuntu 20.04.4 LTS ext4 > # Hostname: > > In 10-ssl.conf, I have set > > ssl_min_protocol = TLSv1 > > (It doesn't show in dovecot -n, I suspect because it's equal to > default value?) I restarted dovecot with systemctl. Then, from > another machine, > > openssl s_client -connect zeserver.com:993 -tls1 > > fails with this output: > > CONNECTED(00000003) > 140166917489984:error:141E70BF:SSL > routines:tls_construct_client_hello:no protocols > available:../ssl/statem/statem_clnt.c:1112: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 7 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > --- > > The same command with -tls1_2 works as intended (certificate > printing, imap prompt). > > Am I forgetting something somewhere, or is this an actual bug? >
Paul Kudla (SCOM.CA Internet)
2022-Apr-14 13:01 UTC
ssl_min_protocol appears to be ignored?
running dovecot 2.3.18 (current) can do connection test # openssl s_client -connect localhost:993 -tls1 CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 104 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: ??? Protocol? : TLSv1 ??? Cipher??? : 0000 ??? Session-ID: ??? Session-ID-ctx: ??? Master-Key: ??? PSK identity: None ??? PSK identity hint: None ??? SRP username: None ??? Start Time: 1649941141 ??? Timeout?? : 7200 (sec) ??? Verify return code: 0 (ok) ??? Extended master secret: no --- and worked ok currently i hve the min version remmed out? ssl = yes verbose_ssl = yes ssl_dh =</usr/local/etc/dovecot/dh-4096.pem ssl_prefer_server_ciphers = yes * #ssl_min_protocol = TLSv1.2* On 4/12/2022 3:32 PM, Myriam Luce wrote:> > Hi, I'm trying to enable TLS1.0 support for an old client. Per dovecot -n > > # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.7.2 ()> # OS: Linux 5.4.0-107-generic x86_64 Ubuntu 20.04.4 LTS ext4 > # Hostname: > > In 10-ssl.conf, I have set > > ssl_min_protocol = TLSv1 > > (It doesn't show in dovecot -n, I suspect because it's equal to > default value?) I restarted dovecot with systemctl. Then, from another > machine, > > openssl s_client -connect zeserver.com:993 -tls1 > > fails with this output: > > CONNECTED(00000003) > 140166917489984:error:141E70BF:SSL > routines:tls_construct_client_hello:no protocols > available:../ssl/statem/statem_clnt.c:1112: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 7 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > --- > > The same command with -tls1_2 works as intended (certificate printing, > imap prompt). > > Am I forgetting something somewhere, or is this an actual bug? > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220414/839a4b7f/attachment.htm>