search for: system_default_sect

...nSSL 1.1.1g FIPS 21 Apr 2020 , atm on Fedora32. I configure /etc/pki/tls/openssl.cnf to set preferences for apps' usage, e.g. Postfix etc; Typically, here cat /etc/pki/tls/openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SH...

...change consists of adding a line of code in the initial section that invokes several new sections later: In the initial section I added: ??? openssl_conf = default_conf Then at the bottom of the file I added: ??? [default_conf] ??? ssl_conf = ssl_sect ??? [ssl_sect] ??? system_default = system_default_sect ??? [system_default_sect] ??? MinProtocol = TLSv1 ??? CipherString = DEFAULT at SECLEVEL=1 There is an alternative approach that I have read of but not tested.? Basically you can create a new file elsewhere with the customized content, and then set an environmental variable (OPENSSL_CONF) ju...

...gt; /etc/pki/tls/openssl.cnf > > to set preferences for apps' usage, e.g. Postfix etc; Typically, here > > cat /etc/pki/tls/openssl.cnf > > openssl_conf = default_conf > > [default_conf] > ssl_conf = ssl_sect > > [ssl_sect] > system_default = system_default_sect > > [system_default_sect] > MinProtocol = TLSv1.2 > Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA25...

...eferences for apps' usage, e.g. Postfix etc; Typically, here > > > > cat /etc/pki/tls/openssl.cnf > > > > openssl_conf = default_conf > > > > [default_conf] > > ssl_conf = ssl_sect > > > > [ssl_sect] > > system_default = system_default_sect > > > > [system_default_sect] > > MinProtocol = TLSv1.2 > > Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > > CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECD...

> On 22/09/2020 21:00 PGNet Dev <pgnet.dev at gmail.com> wrote: > > > On 9/22/20 10:51 AM, Aki Tuomi wrote: > >>> > > > > Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue. > > I've NO issue with that config/setting with any _other_ app -- whether in general

...ULL > > if this works try tuning cipherlists to more secure value. > > --- > Aki Tuomi Since you mention the newest Ubuntu version, it may (most likely) be necessary to enable TLS 1.0 / 1.1 in openssl as well. I ran into this with Debian 10 some time ago. /etc/ssl/openssl.conf [system_default_sect] -MinProtocol = TLSv1.2 +MinProtocol = TLSv1 In terms of Dovecot ciphers config, Windows should be happy with TLS_RSA_WITH_3DES_EDE_CBC_SHA which is less broken than the other older ciphers. -- K -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovec...

...pop3-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully pop3-login: Debug: SSL error: Connection closed But as I say, all is working fine from Thunderbird... For the SSL problem this is maybe because GMail doesn't like this configuration in debian for openssl ? [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT at SECLEVEL=2 Maybe should I try to set MinProtocol = None CipherString = DEFAULT But this make a lot of security change on my opinion... Do someone have any tips or suggestion about my problem ? Thx Yannick

I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f. A few months ago there was an update to all these systems and since then I've had to talk W7 and old Mac clients through disabling ports 993/995 with TLS enabled back to ports 143/110 without SSL or they could not pick up email. Thunderbird users (ie; me) were unaffected. Could anyone share a set of port 993/995 SSL