Hi, could you please try setting this to:
TLSv1.2:+TLSv1:+HIGH:!aNULL:@STRENGTH Any breakage is probably related to openssl update to 1.1 and not cyrus-imapd update, but ... Cheers, -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu On Mon, Nov 28, 2016, at 12:25, David Caldwell wrote: > Package: cyrus-imapd > Version: 2.5.10-2 > Severity: important > > Dear Maintainer, > > I just installed 2.5.10-2 tonight and afterward no clients could connect > to > the imap server (thunderbird, iOS mail). I tried testing with s_client > and > got this: > > # openssl s_client -connect <my-server-redacted>:993 -tls1_2 > CONNECTED(00000003) > 140392100000896:error:14094410:SSL routines:ssl3_read_bytes:sslv3 > alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert > number 40 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 176 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1480330922 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > In /var/log/mail.log I found these messages (for each connection > attempt): > > Nov 28 02:49:50 death cyrus/imaps[19158]: inittls: Loading hard-coded > DH parameters > Nov 28 02:49:50 death cyrus/imaps[19158]: imaps TLS negotiation > failed: cpe-172-249-96-89.socal.res.rr.com [172.249.96.89] > > I played around and eventually commented out this line in > /etc/imapd.conf: > > tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH > > After that all the clients (including s_client) could connect (s_client > reported this: "TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384"). > > I don't understand the syntax of that line, but I suspect something might > be > wrong there. If it's correct, any idea why no clients can connect to the > server? > > Thanks, > David > > -- System Information: > Debian Release: stretch/sid > APT prefers testing > APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages cyrus-imapd depends on: > ii cyrus-common 2.5.10-2 > ii dpkg 1.18.15 > ii libc6 2.24-5 > ii libicu57 57.1-4 > ii libsasl2-2 2.1.27~72-g88d82a3+dfsg-1 > ii libssl1.1 1.1.0c-2 > ii libwrap0 7.6.q-25 > ii zlib1g 1:1.2.8.dfsg-2+b3 > > cyrus-imapd recommends no packages. > > cyrus-imapd suggests no packages. > > -- no debconf information > > _______________________________________________ > Pkg-Cyrus-imapd-Debian-devel mailing list > pkg-cyrus-imapd-debian-de...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-imapd-debian-devel
