Re: ee key too small

Thu, 20 Nov 2025 08:12:29 -0800 

   either do

   openssl s_client -connect host:993

   or

   openssl s_client -connect host:143 -starttls imap

   Aki

     On 20/11/2025 17:49 EET Marek Gresko via dovecot
     <[1][email protected]> wrote:


     When trying openssl s_client to port 143, I get:

     no peer certificate available
     --
     No client certificate CA names sent
     Negotiated TLS1.3 group: <NULL>
     ---
     SSL handshake has read 5 bytes and written 1556 bytes
     Verification: OK
     ---
     New, (NONE), Cipher is (NONE)
     Protocol: TLSv1.3
     This TLS version forbids renegotiation.
     Compression: NONE
     Expansion: NONE
     No ALPN negotiated
     Early data was not sent
     Verify return code: 0 (ok)

     Why there is no certificate present? Because dovecot refuse to present
     it since it thinks it is weak?

     Marek





     Odoslane pomocou bezpecneho emailu Proton Mail.

     stvrtok 20. novembra 2025, 16:45, Marek Gresko
     <[2][email protected]> napisal/a:


       Hello,

       I added ca_file to the server section. I do not want clients to
       present certificates, so I did not create the ssl client section you
       proposed.

       Any other suggestion?

       I still cannot imagine what could be the cause.

       Thanks

       Marek




       Odoslane pomocou bezpecneho emailu Proton Mail.


       stvrtok 20. novembra 2025, 16:13, pgnd [3][email protected] napisal/a:


           after upgrading from Fedora 42 to Fedora 43 the dovecot got
           upgraded to version 2.4.

         imo, a sloppy choice on their part, forcing the need to
         significantly change imap config at the same time as an OS upgrade,
         and 'breaking imap' for lots of folks.


           Should the authority certificate be configured somewhere in
           dovecot?

         start with a thorough read of

         [4]https://doc.dovecot.org/2.4.2/core/config/ssl.html

         if using self-signed certs, you'll end up with something similar to

         ssl = required
         ...
         ssl_server {
         ca_file = /path/to/your_CA.crt.pem
         cert_file = /path/to/your_domain.server.ec.crt.pem
         key_file = /path/to/your_domain.server.ec.key.pem
         ...
         }
         ssl_client {
         ca_file = /path/to/your_CA.crt.pem
         cert_file = /path/to/your_domain.client.ec.crt.pem
         key_file = /path/to/your_domain.client.ec.key.pem
         ...
         }

     _______________________________________________
     dovecot mailing list -- [5][email protected]
     To unsubscribe send an email to [6][email protected]

References

   Visible links
   1. mailto:[email protected]
   2. mailto:[email protected]
   3. mailto:[email protected]
   4. https://doc.dovecot.org/2.4.2/core/config/ssl.html
   5. mailto:[email protected]
   6. mailto:[email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to