On 2022/11/16 16:55, Mikolaj Kucharski wrote: > Hi, > > Just making sure I didn't miss anything on my end. I have working > Dovecot setup for few OpenBSD releases now. Today I wanted to bump > minimal TLS version on the Dovecot end: > > -ssl_min_protocol = TLSv1.2 > +ssl_min_protocol = TLSv1.3 > > After restarting Dovecot, I see that I can connect to host:993 via: > > $ openssl s_client -connect imap.example.com:993 -showcerts \ > </dev/null 2>/dev/null | sed -ne '/^Server certificate/,$p' > Server certificate > subject=/CN=imap.example.com > issuer=/C=US/O=Let's Encrypt/CN=R3 > --- > No client certificate CA names sent > Server Temp Key: ECDH, X25519, 253 bits > --- > SSL handshake has read 4233 bytes and written 374 bytes > --- > New, TLSv1/SSLv3, Cipher is TLS_CHACHA20_POLY1305_SHA256 > Server public key is 384 bit > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.3 > Cipher : TLS_CHACHA20_POLY1305_SHA256 > Session-ID: > Session-ID-ctx: > Master-Key: > Start Time: 1668617217 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > ---
TLSv1.3 in general works for me, here's a report from a server allowing a fairly wide set of ciphers (which I see I can now tighten a bit as all legit TLS <= 1.1 users dropped off) $ zgrep TLSv1 dovecot.?.gz | sed s/.*TLSv/TLSv/ | sort | uniq -c 10 TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) 10 TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) 6 TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits) 5004 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) 41595 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) And here's one from a server with ssl_cipher_list = TLSv1.3:TLSv1.2+AEAD+ECDHE ssl_curve_list = X25519:P-521:P-384 (and no ssl_min_protocol): $ zgrep dovecot.*TLSv1 maillog.?.gz | sed s/.*TLSv/TLSv/ | sort | uniq -c | sort -n 42 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 162 TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) 178 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) 222 TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits) 414 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 2051 TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) 12082 TLSv1.2 with cipher ECDHE-ECDSA-CHACHA20-POLY1305 (256/256 bits) 19374 TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits) There's a chance the min protocol version bits might *possibly* be a bit wonky as that's an area of API that changed in newer OpenSSL, though I think it probably is ok in Dovecot. (there were some issues with dsync-over-TLS last time I tried it, but I was only trying that due to laziness rather than setting up ssh, which works fine). > However on Andorid, Google Mail app doesn't connect any more and on the > server I see following lines in maillog: > > 2022-11-16T16:32:02.837Z obsd4321 dovecot: imap-login: Disconnected: > Connection closed: SSL_accept() failed: error:1402610B:SSL > routines:ACCEPT_SR_CLNT_HELLO:wrong version number (no auth attempts in 0 > secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: > SSL_accept() failed: error:1402610B:SSL routines:ACCEPT_SR_CLNT_HELLO:wrong > version number, session=<xxxxxxx> > > > No feedback from the Android app that doesn't work, emails are just not > refreshing. Anyway, does anyone have Dovecot with TLSv1.3 as > ssl_min_protocol? I don't use the google mail app but I do use aquamail on Android and that only sends a TLSv1.2 client hello (you can feed a file saved from e.g. "tcpdump -s1500 -w somefile port 993" into wireshark which can differentiate between the two). I suspect it bundles some other TLS library rather than using the system one and it's a bit outdated, the standard browser on the same phone does get TLSv1.3.