Hello, I have ubuntu 22.04, dovecot 2.3.16 and old email client (Outlook 2013) and their dont support TLSv1_2. In dovecot 10-ssl.conf i put: ssl_min_protocol = TLSv1, in openssl.cnf i have: openssl_conf = default_conf [ default_conf ] ssl_conf = ssl_section [ssl_section] system_default = ssl_default_sectq [ssl_default_sect] MinProtocol = TLSv1CipherString = DEFAULT:@SECLEVEL=1 but when i check openssl s_client -connect localhost:993 -tls1_1 have output: CONNECTED(00000003) 803BD26AC67F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 111 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1668602712 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- version tls1_2 and 1_3 works fine. What I doing wrong?Thanks for help. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20221124/bb6d7cd6/attachment-0001.htm>
Try setting SECLEVEL=0, also 2.3 is not officially supported by us on Ubuntu 22, so if it does not work, you'll have to bug the package maintainers. Aki> On 24/11/2022 12:31 EET Six002 <six002 at protonmail.com> wrote: > > > Hello, > I have ubuntu 22.04, dovecot 2.3.16 and old email client (Outlook 2013) and their dont support TLSv1_2. > In dovecot 10-ssl.conf i put: ssl_min_protocol = TLSv1, > in openssl.cnf i have: > openssl_conf = default_conf > [ default_conf ] > ssl_conf = ssl_section > [ssl_section] > system_default = ssl_default_sectq > [ssl_default_sect] > MinProtocol = TLSv1 > CipherString = DEFAULT:@SECLEVEL=1 > > but when i check openssl s_client -connect localhost:993 -tls1_1 > have output: > > CONNECTED(00000003) > 803BD26AC67F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 111 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1668602712 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > version tls1_2 and 1_3 works fine. > What I doing wrong? > Thanks for help. >
On Thu, Nov 24, 2022 at 1:34 PM Six002 <six002 at protonmail.com> wrote:> Hello, > I have ubuntu 22.04, dovecot 2.3.16 and old email client (Outlook 2013) > and their dont support TLSv1_2. > In dovecot 10-ssl.conf i put: ssl_min_protocol = TLSv1, > in openssl.cnf i have: > openssl_conf = default_conf > [ default_conf ] > ssl_conf = ssl_section > [ssl_section] > system_default = ssl_default_sectq > [ssl_default_sect] > MinProtocol = TLSv1 > CipherString = DEFAULT:@SECLEVEL=1 > > but when i check openssl s_client -connect localhost:993 -tls1_1 > have output: > > CONNECTED(00000003) > 803BD26AC67F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof > while reading:../ssl/record/rec_layer_s3.c:308: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 111 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1668602712 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > version tls1_2 and 1_3 works fine. > What I doing wrong? > Thanks for help. > >Not to answer your question about TLS, but about Outlook. Your version of Outlook is outdated and seeing as you use Outlook with Dovecot, there is nothing special that you need Outlook for. Why not just switch to something like Thunderbird for a MuA? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ?\_(?)_/? :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20221124/0bee655a/attachment.htm>