2020/12/04: Difference between revisions

From Woozle Writes Code
Jump to navigation Jump to search
No edit summary
No edit summary
Line 42: Line 42:
</pre>
</pre>
So, going on the theory that it's actually refusing TLSv1 and TLSv1.1 connections, I searched for "no protocols available" and found [https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level this piece of advice] which says that the openssl server configuration is what needs to be changed. Unfortunately, changing it doesn't seem to change the error. It would help if I knew whether I needed to restart something after each change, and what that might be, rather than rebooting all the time.
So, going on the theory that it's actually refusing TLSv1 and TLSv1.1 connections, I searched for "no protocols available" and found [https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level this piece of advice] which says that the openssl server configuration is what needs to be changed. Unfortunately, changing it doesn't seem to change the error. It would help if I knew whether I needed to restart something after each change, and what that might be, rather than rebooting all the time.
==12/5 Note==
[https://askubuntu.com/questions/1240595/enable-tls-1-0-and-tls-1-1-on-ubuntu-20-04 Enable TLS 1.0 and TLS 1.1 on Ubuntu 20.04] seems to be identifying the same problem, except with Nginx rather than Dovecot. The solution they worked out is via configuring Nginx rather than configuring OpenSSL, suggesting that perhaps Dovecot can be configured to override OpenSSL as well -- but a few attempts to do this were not successful. The Nginx settings given don't translate directly, though there are some analogous config options in Dovecot.

Revision as of 19:31, 5 December 2020

Template:Box/nav/log Turning on a couple of debug flags in #Dovecot's config now shows this in mail.log when #Eudora tries to connect:

Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: error
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL error: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=107.15.53.219, lip=68.183.140.54, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=</enhGK21wTFrDzXb>
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument

The flags I changed:

  • auth_verbose = yes - didn't immediately change anything
  • verbose_ssl = yes - the extra info appeared after I made this change

As far as I can tell, Eudora should support up through TLSv1.1. I tested Dovecot with TLSv1 and TLSv1.1, and both were successful -- so I really don't understand what's going on here oh wait, maybe "Verification: OK" doesn't mean success. It does say "no protocols available" for 1.0 and 1.1, but gives all kinds of additional certificate info for 1.2.

TLSv1 test:

openssl s_client -connect mail.vbz.net:993 -tls1

Output:

CONNECTED(00000003)
140056042988864:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

So, going on the theory that it's actually refusing TLSv1 and TLSv1.1 connections, I searched for "no protocols available" and found this piece of advice which says that the openssl server configuration is what needs to be changed. Unfortunately, changing it doesn't seem to change the error. It would help if I knew whether I needed to restart something after each change, and what that might be, rather than rebooting all the time.

12/5 Note

Enable TLS 1.0 and TLS 1.1 on Ubuntu 20.04 seems to be identifying the same problem, except with Nginx rather than Dovecot. The solution they worked out is via configuring Nginx rather than configuring OpenSSL, suggesting that perhaps Dovecot can be configured to override OpenSSL as well -- but a few attempts to do this were not successful. The Nginx settings given don't translate directly, though there are some analogous config options in Dovecot.