Hi,
Just making sure I didn't miss anything on my end. I have working
Dovecot setup for few OpenBSD releases now. Today I wanted to bump
minimal TLS version on the Dovecot end:
-ssl_min_protocol = TLSv1.2
+ssl_min_protocol = TLSv1.3
After restarting Dovecot, I see that I can connect to host:993 via:
$ openssl s_client -connect imap.example.com:993 -showcerts \
</dev/null 2>/dev/null | sed -ne '/^Server certificate/,$p'
Server certificate
subject=/CN=imap.example.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4233 bytes and written 374 bytes
---
New, TLSv1/SSLv3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_CHACHA20_POLY1305_SHA256
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1668617217
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
However on Andorid, Google Mail app doesn't connect any more and on the
server I see following lines in maillog:
2022-11-16T16:32:02.837Z obsd4321 dovecot: imap-login: Disconnected: Connection
closed: SSL_accept() failed: error:1402610B:SSL
routines:ACCEPT_SR_CLNT_HELLO:wrong version number (no auth attempts in 0
secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking:
SSL_accept() failed: error:1402610B:SSL routines:ACCEPT_SR_CLNT_HELLO:wrong
version number, session=<xxxxxxx>
No feedback from the Android app that doesn't work, emails are just not
refreshing. Anyway, does anyone have Dovecot with TLSv1.3 as
ssl_min_protocol?
This is on:
OpenBSD 7.2 (GENERIC.MP) #0: Wed Oct 26 12:01:47 MDT 2022
r...@syspatch-72-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
$ pkg_info -qI dovecot dovecot-fts-flatcurve
dovecot-2.3.19.1p0v0
dovecot-fts-flatcurve-0.3.1
--
Regards,
Mikolaj
