openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem -connect redacted.fqdn:143
bit depth of the certificate is 4096. Bit depth of the root ca is 4096, no intermediate ca here. ssl_cipher_list = PROFILE=SYSTEM update-crypto-policies --show DEFAULT:DISABLE-MY-WEAK the MY-WEAK is: cipher = -CHACHA20-POLY1305 mac@SSH = -HMAC-SHA1 -UMAC-128 etm@SSH = DISABLE_ETM group = -SECP521R1 But with DEFAULT only it is the same result. On: grep -E "params size|TLS protocols" /usr/share/crypto-policies/policies/*.pol it seems I am fullfilling all the requirements. Could it be dovecot is not loading the certificate at all? Marek Odoslané pomocou bezpečného emailu Proton Mail. štvrtok 20. novembra 2025, 17:04, pgnd <[email protected]> napísal/a: > > When trying openssl s_client to port 143 > > > show the command you're using > > > > what's the bit-depth of your self-signed cert? > > > > you are forcing `ssl_cipher_list = PROFILE=SYSTEM` > > on that system, what's the output of > > update-crypto-policies --show > > ? > > check whatever policy your system's got defined > > grep -E "params size|TLS protocols" /usr/share/crypto-policies/policies/*.pol > > for minimum param size reqt's _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
