Hi, Just making sure I didn't miss anything on my end. I have working Dovecot setup for few OpenBSD releases now. Today I wanted to bump minimal TLS version on the Dovecot end:
-ssl_min_protocol = TLSv1.2 +ssl_min_protocol = TLSv1.3 After restarting Dovecot, I see that I can connect to host:993 via: $ openssl s_client -connect imap.example.com:993 -showcerts \ </dev/null 2>/dev/null | sed -ne '/^Server certificate/,$p' Server certificate subject=/CN=imap.example.com issuer=/C=US/O=Let's Encrypt/CN=R3 --- No client certificate CA names sent Server Temp Key: ECDH, X25519, 253 bits --- SSL handshake has read 4233 bytes and written 374 bytes --- New, TLSv1/SSLv3, Cipher is TLS_CHACHA20_POLY1305_SHA256 Server public key is 384 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.3 Cipher : TLS_CHACHA20_POLY1305_SHA256 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1668617217 Timeout : 7200 (sec) Verify return code: 0 (ok) --- However on Andorid, Google Mail app doesn't connect any more and on the server I see following lines in maillog: 2022-11-16T16:32:02.837Z obsd4321 dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1402610B:SSL routines:ACCEPT_SR_CLNT_HELLO:wrong version number (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: SSL_accept() failed: error:1402610B:SSL routines:ACCEPT_SR_CLNT_HELLO:wrong version number, session=<xxxxxxx> No feedback from the Android app that doesn't work, emails are just not refreshing. Anyway, does anyone have Dovecot with TLSv1.3 as ssl_min_protocol? This is on: OpenBSD 7.2 (GENERIC.MP) #0: Wed Oct 26 12:01:47 MDT 2022 r...@syspatch-72-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP $ pkg_info -qI dovecot dovecot-fts-flatcurve dovecot-2.3.19.1p0v0 dovecot-fts-flatcurve-0.3.1 -- Regards, Mikolaj