[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: TLS1.0 and 1.1 with Cyrus (Debian Buster)

Hi,

It's probably due to new defaults in libssl.
Try adding:
MinProtocol = None
CipherString = DEFAULT
To:
/etc/ssl/openssl.cnf

Regards,

Alberto

On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandez wrote:
> Hi,
> 
> I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus
> (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know
> they're not recommended but I need them for older clients). I tried
> several combinations of tls_ciphers and tls_versions in /etc/imapd.conf
> (even very permisive combinations) with no success.
> 
> Any idea what's happening?
> 
> I'm not sure whether it's really a Cyrus issue or some other kind of
> hardening feature in Buster. In that last regard, I also modified
> /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although
> I think this setting is only for client programs like Curl. But seeing
> that config I tend to think that Buster may have other tweaks against
> older protocols like TLSv1.{0,1} and one of them may be impacting my setup.
> 
> Cheers,
> 
> -r
> 

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55
Reply to: