On Mon, 18 Mar 2019 12:06:59 +0100, Kurt Roeckx wrote: > So I assume that somewhere in the past you also did something like > that, and that the old file was still a 1024 bit file? Or did you > just not have an ssl_dh line in your config because the old config > files didn't have it and it wasn't added as part of the upgrade?
The old file was /usr/share/dovecot/dh.pem and it was certainly the file of dovecot package but not a file I generated. There are 2 config files 10-ssl.conf, one is under /etc/dovecot/conf.d and the other under /usr/share/dovecot/conf.d. In 10-ssl.conf under /etc, there is no ssl_dh line (but there is #ssl_dh_parameters_length = 1024) and in 10-ssl.conf under /usr, there is "ssl_dh = </usr/share/dovecot/dh.pem" line. (Note this dh.pem is not old as ls -l /usr/share/dovecot/dh.pem -rw-r--r-- 1 root root 769 5 Feb. 23:19 /usr/share/dovecot/dh.pem shows. "5 Feb." is a translation of Japanes text by me.) I added ssl_dh = </path/to/dh.pem in 10-ssl.conf under /etc to fix the problem. Of course this dh.pem was generated 4096 bit key by me. > I have no idea which part of dovecot failed, but I think there > might still be some other issue. > > Do you have any idea which version of TLS is being negotiated? > Since both use the same version of openssl, it should be able to > do TLS 1.3 and have used X25519 instead of DHE. It could be that > some side of the connection for some reasons blocks TLS 1.3. > > The other reason it can fail is that the change between 1.1.1a and > 1.1.1b now just caused dovecot to not properly set up TLS. That > you are in fact not using DHE, but that setting up DHE now failed, > causing the connection issue. Sorry but I have no idea here. Thanks for your investigation. Best regards, 2019-3-19(Tue) -- ************************** Atsuhito Kohda atsuhito_k AT tokushima-u.ac.jp
