Re: cygwin /usr/bin/email

Thu, 02 Jan 2025 07:49:45 -0800 

Hi, Reneé, thanks so much for your help!
The command reports version 1.3, nothing else.  Would it have listed additional versions, possibly in different paragraphs if supported? 


I use current version of Mozilla Thunderbird for an email client, no 
issues with smtp sending there and connecting to the same email server 
so I know that side's working, but it's using the Thunderbird ssl stack, 
not openssl from cygwin.


Is TLS 1.3 not supported in cygwin email yet?


The error I get is the timeout while trying to read from SMTP server so 
it seems something's going wrong in the handshake sequence.


Greeting the SMTP server...
email: FATAL: Smtp error: Timeout(10) while trying to read from SMTP server

<snip>

---
SSL handshake has read 3669 bytes and written 455 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

On port 465 it connects but doesn't do STARTTLS.

CONNECTED(00000005)
Didn't find STARTTLS in server response, trying anyway...

100000000A000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof 
while reading:ssl/record/rec_layer_s3.c:322:

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 382 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)


On 12/31/2024 7:51 PM, René Berber wrote:

On 12/31/2024 5:49 PM, Paul McKinley via Cygwin wrote:


I accidentally sent the previous reply directly to René, so included 
below.



I created the registry entries and rebooted per other instructions 
from Google search:



C:\Windows\System32>reg query 
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols 
/s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
1.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
1.0\Client

     Enabled    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
1.0\Server

     Enabled    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
1.1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
1.1\Client

     Enabled    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 
1.1\Server

     Enabled    REG_DWORD    0x1

No joy:

[snip]

Correcting my previous message, STARTTLS is port 587.


I was right, the registry change is not needed, OpenSSL takes care, 
and supports all versions.



Tested again (with Postfix as server) and email works fine over port 
587, doesn't over port 465.  I had previously used "email --verbose" 
which is what causes email to behave as if I've asked for version 
(i.e. -V kind of works, --verbose is taken as --version).



The verbose option is useless, still shows a progress bar instead of 
the actual protocol exchange.



Next step for you is to check which version of TLS is suported by your 
smtp server.  It would be interesting to see if only 1.3 is accepted 
and it doesn't work with eMail.


Using port 587:


$ openssl s_client -starttls smtp -showcerts -connect 
mail.<server>:587 -servername <...>

CONNECTED(00000004)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = *.<server>
verify return:1
---
Certificate chain
 0 s:CN = *.<server>
   i:C = US, O = Let's Encrypt, CN = R10
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

   v:NotBefore: Nov 14 19:29:40 2024 GMT; NotAfter: Feb 12 19:29:39 
2025 GMT

[snip]
SSL handshake has read 3467 bytes and written 496 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
[snip]

Same test over the 465 port show that the server doesn't have it enabled:


100000000A000000:error:8000006F:system library:BIO_connect:Connection 
refused:crypto/bio/bio_sock2.c:114:calling connect()


--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple






















					Reply via email to