Re: TLS1.0 and 1.1 with Cyrus (Debian Buster)
Hi,
It's probably due to new defaults in libssl.
Try adding:
MinProtocol = None
CipherString = DEFAULT
To:
/etc/ssl/openssl.cnf
Regards,
Alberto
On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandez wrote:
> Hi,
>
> I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
> (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
> they're not recommended but I need them for older clients). I tried
> several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
> (even very permisive combinations) with no success.
>
> Any idea what's happening?
>
> I'm not sure whether it's really a Cyrus issue or some other kind of
> hardening feature in Buster. In that last regard, I also modified
> /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
> I think this setting is only for client programs like Curl. But seeing
> that config I tend to think that Buster may have other tweaks against
> older protocols like TLSv1.{0,1} and one of them may be impacting my setup.
>
> Cheers,
>
> -r
>
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Reply to: