Bug#846082: cyrus-imapd: TLS connections fail with 2.5.10-2 (new config option?)
Ondřej Surý
ondrej at sury.org
Tue Nov 29 15:59:15 UTC 2016
Hi,
could you please try setting this to:
TLSv1.2:+TLSv1:+HIGH:!aNULL:@STRENGTH
Any breakage is probably related to openssl update to 1.1 and not
cyrus-imapd update, but ...
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu
On Mon, Nov 28, 2016, at 12:25, David Caldwell wrote:
> Package: cyrus-imapd
> Version: 2.5.10-2
> Severity: important
>
> Dear Maintainer,
>
> I just installed 2.5.10-2 tonight and afterward no clients could connect
> to
> the imap server (thunderbird, iOS mail). I tried testing with s_client
> and
> got this:
>
> # openssl s_client -connect <my-server-redacted>:993 -tls1_2
> CONNECTED(00000003)
> 140392100000896:error:14094410:SSL routines:ssl3_read_bytes:sslv3
> alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert
> number 40
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 176 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1480330922
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> Extended master secret: no
> ---
>
> In /var/log/mail.log I found these messages (for each connection
> attempt):
>
> Nov 28 02:49:50 death cyrus/imaps[19158]: inittls: Loading hard-coded
> DH parameters
> Nov 28 02:49:50 death cyrus/imaps[19158]: imaps TLS negotiation
> failed: cpe-172-249-96-89.socal.res.rr.com [172.249.96.89]
>
> I played around and eventually commented out this line in
> /etc/imapd.conf:
>
> tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
>
> After that all the clients (including s_client) could connect (s_client
> reported this: "TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384").
>
> I don't understand the syntax of that line, but I suspect something might
> be
> wrong there. If it's correct, any idea why no clients can connect to the
> server?
>
> Thanks,
> David
>
> -- System Information:
> Debian Release: stretch/sid
> APT prefers testing
> APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages cyrus-imapd depends on:
> ii cyrus-common 2.5.10-2
> ii dpkg 1.18.15
> ii libc6 2.24-5
> ii libicu57 57.1-4
> ii libsasl2-2 2.1.27~72-g88d82a3+dfsg-1
> ii libssl1.1 1.1.0c-2
> ii libwrap0 7.6.q-25
> ii zlib1g 1:1.2.8.dfsg-2+b3
>
> cyrus-imapd recommends no packages.
>
> cyrus-imapd suggests no packages.
>
> -- no debconf information
>
> _______________________________________________
> Pkg-Cyrus-imapd-Debian-devel mailing list
> Pkg-Cyrus-imapd-Debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-imapd-debian-devel
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list