Loading...
 

SysAdmin Blog

Debian bullseyse / Devuan chimaera openssl minimum TLS version

Alexander Bochmann Saturday 23 of April, 2022
I recently spent way too much time trying to find out why my mail server wasn't able to send mail to a system that apparently only supported TLSv1. None of the TLS options in the sendmail configuration made any difference.

Things started to click only after I noticed that connecting to the system in question via openssl s_client produced the same error message:

> openssl s_client -connect mail.some.domain:25 -starttls smtp
CONNECTED(00000003)
139770261177664:error:1425F102:SSL routines:ssl_choose_client_version:unsupported 
protocol:../ssl/statem/statem_lib.c:1957:

As it turns out, /etc/ssl/openssl.cnf in current Debian / Devuan has the following global configuration settings:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

So yeah, anything using openssl that doesn't explicitly override that configuration will not be able to make TLS connections to systems that don't support TLSv1.2...

Changing the settings to MinProtocol = TLSv1 made it possible to deliver my mail.