Hi,

Just making sure I didn't miss anything on my end. I have working
Dovecot setup for few OpenBSD releases now. Today I wanted to bump
minimal TLS version on the Dovecot end:

-ssl_min_protocol = TLSv1.2
+ssl_min_protocol = TLSv1.3

After restarting Dovecot, I see that I can connect to host:993 via:

$ openssl s_client -connect imap.example.com:993 -showcerts \
        </dev/null 2>/dev/null | sed -ne '/^Server certificate/,$p'
Server certificate
subject=/CN=imap.example.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4233 bytes and written 374 bytes
---
New, TLSv1/SSLv3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1668617217
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---


However on Andorid, Google Mail app doesn't connect any more and on the
server I see following lines in maillog:

2022-11-16T16:32:02.837Z obsd4321 dovecot: imap-login: Disconnected: Connection 
closed: SSL_accept() failed: error:1402610B:SSL 
routines:ACCEPT_SR_CLNT_HELLO:wrong version number (no auth attempts in 0 
secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: 
SSL_accept() failed: error:1402610B:SSL routines:ACCEPT_SR_CLNT_HELLO:wrong 
version number, session=<xxxxxxx>


No feedback from the Android app that doesn't work, emails are just not
refreshing. Anyway, does anyone have Dovecot with TLSv1.3 as
ssl_min_protocol?


This is on:

OpenBSD 7.2 (GENERIC.MP) #0: Wed Oct 26 12:01:47 MDT 2022
    
r...@syspatch-72-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP


$ pkg_info -qI dovecot dovecot-fts-flatcurve
dovecot-2.3.19.1p0v0
dovecot-fts-flatcurve-0.3.1

-- 
Regards,
 Mikolaj

Reply via email to