You may need to add to your ssl_cipher_list ssl_cipher_list = ALL:@SECLEVEL=1
I am not 100% certain why but the @SECLEVEL=1 addition unlocks several ciphers that I've found to be required for TLSv1 to work On Tue, 12 Apr 2022 14:32:43 -0500 Myriam Luce <[email protected]> wrote: > Hi, I'm trying to enable TLS1.0 support for an old client. Per > dovecot -n > > # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.7.2 () > # OS: Linux 5.4.0-107-generic x86_64 Ubuntu 20.04.4 LTS ext4 > # Hostname: > > In 10-ssl.conf, I have set > > ssl_min_protocol = TLSv1 > > (It doesn't show in dovecot -n, I suspect because it's equal to > default value?) I restarted dovecot with systemctl. Then, from > another machine, > > openssl s_client -connect zeserver.com:993 -tls1 > > fails with this output: > > CONNECTED(00000003) > 140166917489984:error:141E70BF:SSL > routines:tls_construct_client_hello:no protocols > available:../ssl/statem/statem_clnt.c:1112: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 7 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > --- > > The same command with -tls1_2 works as intended (certificate > printing, imap prompt). > > Am I forgetting something somewhere, or is this an actual bug? >
