Dnia , o godz. "Steffan A. Cline" <stef...@hldns.com> napisaĆ(a):
Hi, have you resolved this problem yet? I reproduce it when I connect via either imap or smtp from claws-mail linked against gnutls 3.3.10-1 to a postfix server with dovecot sasl enabled. In my case it is caused by my dovecot configuration, namely: ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = HIGH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL According to [1]: > It seems that following poodle many sites incorrectly banned SSL 3.0 > record packet versions. Since gnutls uses an SSL 3.0 record to > advertise TLS 1.2, they are effectively banning it even if it doesn't > advertise SSL 3.0. After removing SSLv3 from ssl_cipher_list the client connected successfully. I'm not really sure though if it is a proper workaround or am I opening a possible attack vector; I will be carrying out more tests next weekend. However, I don't think it's necessary for gnutls to behave this way, NSS works fine in either configuration. [1]: http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html
