2020/12/04

From Woozle Writes Code
Revision as of 02:15, 5 December 2020 by Woozle (talk | contribs)
Jump to navigation Jump to search

Template:Box/nav/log Turning on a couple of debug flags in #Dovecot's config now shows this in mail.log when #Eudora tries to connect:

Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: error
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL error: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=107.15.53.219, lip=68.183.140.54, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=</enhGK21wTFrDzXb>
Dec  5 00:58:54 cloud1 dovecot: pop3-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument

The flags I changed:

  • auth_verbose = yes - didn't immediately change anything
  • verbose_ssl = yes - the extra info appeared after I made this change

As far as I can tell, Eudora should support up through TLSv1.1. I tested Dovecot with TLSv1 and TLSv1.1, and both were successful -- so I really don't understand what's going on here oh wait, maybe "Verification: OK" doesn't mean success. It does say "no protocols available" for 1.0 and 1.1, but gives all kinds of additional certificate info for 1.2.

TLSv1 test:

openssl s_client -connect mail.vbz.net:993 -tls1

Output:

CONNECTED(00000003)
140056042988864:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

So, going on the theory that it's actually refusing TLSv1 and TLSv1.1 connections, I searched for "no protocols available" and found this piece of advice which says that the openssl server configuration is what needs to be changed. Unfortunately, changing it doesn't seem to change the error. It would help if I knew whether I needed to restart something after each change, and what that might be, rather than rebooting all the time.