Dovecot and TLSv1 on ubuntu 22.04
Hello, I have ubuntu 22.04, dovecot 2.3.16 and old email client (Outlook 2013) and their dont support TLSv1_2. In dovecot 10-ssl.conf i put: ssl_min_protocol = TLSv1, in openssl.cnf i have: openssl_conf = default_conf [ default_conf ] ssl_conf = ssl_section [ssl_section] system_default = ssl_default_sectq [ssl_default_sect] MinProtocol = TLSv1CipherString = DEFAULT:@SECLEVEL=1 but when i check openssl s_client -connect localhost:993 -tls1_1 have output: CONNECTED(0003) 803BD26AC67F:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 111 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1668602712 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- version tls1_2 and 1_3 works fine. What I doing wrong?Thanks for help.
Re: Dovecot and TLSv1 on ubuntu 22.04
Try setting SECLEVEL=0, also 2.3 is not officially supported by us on Ubuntu 22, so if it does not work, you'll have to bug the package maintainers. Aki > On 24/11/2022 12:31 EET Six002 wrote: > > > Hello, > I have ubuntu 22.04, dovecot 2.3.16 and old email client (Outlook 2013) and > their dont support TLSv1_2. > In dovecot 10-ssl.conf i put: ssl_min_protocol = TLSv1, > in openssl.cnf i have: > openssl_conf = default_conf > [ default_conf ] > ssl_conf = ssl_section > [ssl_section] > system_default = ssl_default_sectq > [ssl_default_sect] > MinProtocol = TLSv1 > CipherString = DEFAULT:@SECLEVEL=1 > > but when i check openssl s_client -connect localhost:993 -tls1_1 > have output: > > CONNECTED(0003) > 803BD26AC67F:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while > reading:../ssl/record/rec_layer_s3.c:308: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 111 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.1 > Cipher : > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1668602712 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > version tls1_2 and 1_3 works fine. > What I doing wrong? > Thanks for help. >
Re: Dovecot and TLSv1 on ubuntu 22.04
On Thu, Nov 24, 2022 at 1:34 PM Six002 wrote: > Hello, > I have ubuntu 22.04, dovecot 2.3.16 and old email client (Outlook 2013) > and their dont support TLSv1_2. > In dovecot 10-ssl.conf i put: ssl_min_protocol = TLSv1, > in openssl.cnf i have: > openssl_conf = default_conf > [ default_conf ] > ssl_conf = ssl_section > [ssl_section] > system_default = ssl_default_sectq > [ssl_default_sect] > MinProtocol = TLSv1 > CipherString = DEFAULT:@SECLEVEL=1 > > but when i check openssl s_client -connect localhost:993 -tls1_1 > have output: > > CONNECTED(0003) > 803BD26AC67F:error:0A000126:SSL routines:ssl3_read_n:unexpected eof > while reading:../ssl/record/rec_layer_s3.c:308: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 111 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.1 > Cipher: > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1668602712 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > version tls1_2 and 1_3 works fine. > What I doing wrong? > Thanks for help. > > Not to answer your question about TLS, but about Outlook. Your version of Outlook is outdated and seeing as you use Outlook with Dovecot, there is nothing special that you need Outlook for. Why not just switch to something like Thunderbird for a MuA? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
Re: bug: ARGON2 hash selection incompatible with LDAP
> On 15/11/2022 14:55 EET Aki Tuomi wrote:
>
>
> > On 15/11/2022 14:45 EET Krisztián Szegi wrote:
> >
> >
> > Good day to all,
> >
> > this is my first post to the mailing list!
> >
> > I'd like to report that non-binding auth to (Open)LDAP doesn't work if the
> > latter hashes passwords with ARGON2.
> >
> > Although dovecot (I am using http://2.3.19.1) does support ARGON2 with
> > libsodium, but it doesn't recoginize hashes beginning "{ARGON2}$argon2id$"
> > stored (and hashed, using ppolicy module's hashCleartext) by OpenLDAP.
> >
> > Now, I understand that ARGON2I, -D, and -ID are not compatible, but the
> > ACTUAL algorithm is there between the two $.
> > Furthermore, I think dovecot is in the minority here, I haven't met any
> > software that specifies the ARGON2 subtype between {}.
> > BTW, I haven't met any software that hashes passwords with ARGON2, but not
> > with the ARGON2ID subtype (where libsodium is available, which also seems
> > to be the standard here), as THAT is the recommended one anyway.
> >
> > I patched the rpm in OpenSUSE repo to alias {ARGON2} to {ARGON2ID}:
> > https://build.opensuse.org/package/view_file/home:Samonitari:branches:openSUSE:Factory/dovecot23/dovecot-2.3.0-alias_ARGON2_to_ARGON2ID.patch
> >
> > Could we get something like this (but maybe more correct) into the official
> > source?
> > Maybe a config switch to alias it runtime?
> >
> > Thanks for the attention:
> > Krisztián
>
> Hi!
>
> Thanks for your report. I think it makes sense, we'll see what we can do
> about this.
>
> Aki
This has been fixed in
https://github.com/dovecot/core/commit/6e3239d8fbe33f96352d24a563a0c7595d29dca9
Regards,
Aki Tuomi
