On 2019-06-06, kasak <kasak@kasakoff.net> wrote:
>
> Excuse me, can this issue also break dovecot and latest thunderbird?
> With the latest thunderbird 60.7.0 (on fedora) my dovecot (and
> opensmtpd) suddenly refuse to log me in.
> Dovecot shows something like this in logs:
>
> TLS handshaking: SSL_accept() failed: error:140270E3:SSL
> routines:ACCEPT_SR_CLNT_HELLO_C:parse tlsext
Yes I am pretty much certain this has the same cause.
Fixes:
- move the server to current where this has been fixed already
- the fix has been committed to -stable today so you can update libssl
from there; if you already have a checkout you can do this
cd /usr/src/lib/libssl
cvs up -r OPENBSD_6_5 -Pd
make obj
make
make install
(and restart the relevant services)
- an errata/syspatch is planned for this issue; should show up in the
next few days (possibly Monday)
- update crypto-policies from the Fedora testing repository, see links
in comments 10/11 on https://bugzilla.redhat.com/show_bug.cgi?id=1713777
> I found workarond for this, by switching from "STARTTLS" to SLL/TLS for
> imap. But OpenSMTPD still not working.
> As I said, this behavior appeared in latest thunderbird 60.7.0. Older
> versions of thunderbird work.
btw, where possible it's usually a good idea to use a port which just
uses plain TLS rather than starting as text and switching with STARTTLS,
this avoids the risk of a cleartext connection being intercepted and
modified to disable the STARTTLS. (of course if a client is configured
to never send cleartext credentials then it doesn't matter, but that's
not always done)
No comments:
Post a Comment