On 12/31/2024 5:49 PM, Paul McKinley via Cygwin wrote:
I accidentally sent the previous reply directly to René, so included below.
I created the registry entries and rebooted per other instructions from
Google search:
C:\Windows\System32>reg query
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Client
Enabled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Server
Enabled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client
Enabled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server
Enabled REG_DWORD 0x1
No joy:
[snip]
Correcting my previous message, STARTTLS is port 587.
I was right, the registry change is not needed, OpenSSL takes care, and
supports all versions.
Tested again (with Postfix as server) and email works fine over port
587, doesn't over port 465. I had previously used "email --verbose"
which is what causes email to behave as if I've asked for version (i.e.
-V kind of works, --verbose is taken as --version).
The verbose option is useless, still shows a progress bar instead of the
actual protocol exchange.
Next step for you is to check which version of TLS is suported by your
smtp server. It would be interesting to see if only 1.3 is accepted and
it doesn't work with eMail.
Using port 587:
$ openssl s_client -starttls smtp -showcerts -connect mail.<server>:587
-servername <...>
CONNECTED(00000004)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = *.<server>
verify return:1
---
Certificate chain
0 s:CN = *.<server>
i:C = US, O = Let's Encrypt, CN = R10
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 14 19:29:40 2024 GMT; NotAfter: Feb 12 19:29:39
2025 GMT
[snip]
SSL handshake has read 3467 bytes and written 496 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
[snip]
Same test over the 465 port show that the server doesn't have it enabled:
100000000A000000:error:8000006F:system library:BIO_connect:Connection
refused:crypto/bio/bio_sock2.c:114:calling connect()
--
R.B.
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
