On 5 September 2017 at 22:40, Sven Hartge <s...@svenhartge.de> wrote: > Michael Grant <mgr...@grant.org> wrote: > >> Is there something I can set on Debian side to force this newer >> openssl to accept older 1.x connections? > > No, you can't. > > Kurt Roeckx, the DD maintaining OpenSSL, patched it in such a way that a > program needs to call a special function of OpenSSL to override the > default minimum TLS-version of TLS1.2. > > Problem is: next to no program implements this as of yet. > > The Dovecot developers may introduce the needed change in some of the > coming versions, with sendmail I believe you will be out of luck.
Ugh no! > First help: Grab an older OpenSSL version from snapshots.debian.org to > get going again. > > My solution (other than complaining on the debian-devel mailinglist) was > to recompile OpenSSL with the patch in question removed. > > Of course in doing so I burdened myself with tracking any new release of > the OpenSSL packages and recompile them until this situation has been > resolved in some other way. Thanks for confirming that I did the best thing I could: reinstall the previous version of libssl. I was surprised that this problem affected fairly recent MacOS and Windows Outlook users. I was also surprised that not many people had reported this and as I continued to google around for this, I found only this chain of posts! And this has been in the wild now for about 10 days. I'm sure this fix needs to be in there, forcing it on people without making sure major mailers are going to accept it is just going to create more problems. It probably would have been a good idea to put a loud warning in the log files about this. The message given by apt during the update: By default the minimum supported TLS version is 1.2. If you still need to talk to applications that only support TLS 1.0 you should configure the application to set the minimum supported version. This is highly misleading that it is easy to do this!
