You are not logged in.
Connecting to IMAP folders of a specific mail account in mutt fails with
SSL failed: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
For other accounts it works just fine, as it did for this account for a long time.
I cut down my .muttrc:
$ less ~/.muttrc_debug
set imap_user = username
set imap_pass='mypassword'
set folder = imaps://mailserver
set spoolfile = +INBOX
I'd appreciate any ideas
thanks.
Some more information:
$ mutt -v
Mutt 1.12.1 (2019-06-15)
Copyright (C) 1996-2016 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.
System: Linux 5.1.12-arch1-1-ARCH (x86_64)
ncurses: ncurses 6.1.20180127 (compiled with 6.1)
libidn2: 2.2.0 (compiled with 2.2.0)
hcache backend: GDBM version 1.18.1. 27/10/2018 (built Jan 10 2019 15:18:10)
Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-shared --enable-threads=posix --enable-libmpx --with-system-zlib --with-isl --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --enable-gnu-indirect-function --enable-multilib --disable-werror --enable-checking=release --enable-default-pie --enable-default-ssp --enable-cet=auto
Thread model: posix
gcc version 8.3.0 (GCC)
Configure options: '--prefix=/usr' '--sysconfdir=/etc' '--enable-gpgme' '--enable-pop' '--enable-imap' '--enable-smtp' '--enable-hcache' '--enable-sidebar' '--with-curses=/usr' '--with-gss=/usr' '--with-ssl=/usr' '--with-sasl' '--with-idn2' 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
Compilation CFLAGS: -Wall -pedantic -Wno-long-long -march=x86-64 -mtune=generic -O2 -pipe -fno-plt
Compile options:
-DOMAIN
-DEBUG
-HOMESPOOL -USE_SETGID +USE_DOTLOCK -DL_STANDALONE +USE_FCNTL -USE_FLOCK
+USE_POP +USE_IMAP +USE_SMTP
+USE_SSL_OPENSSL -USE_SSL_GNUTLS +USE_SASL +USE_GSS +HAVE_GETADDRINFO
+HAVE_REGCOMP -USE_GNU_REGEX
+HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET
+HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM +HAVE_FUTIMENS
+CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME
-EXACT_ADDRESS -SUN_ATTACHMENT
+ENABLE_NLS -LOCALES_HACK +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET +HAVE_LANGINFO_YESEXPR
+HAVE_ICONV -ICONV_NONTRANS -HAVE_LIBIDN +HAVE_LIBIDN2 +HAVE_GETSID +USE_HCACHE
+USE_SIDEBAR -USE_COMPRESSED +USE_INOTIFY
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"
-MIXMASTER
$ openssl version
OpenSSL 1.1.1b 26 Feb 2019
I did not apply any changes to /etc/ssl/openssl.cnf, therefore:
$ diff /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist
And maybe sth. like that:
$ openssl s_client -host mailbox.servername -port 993
CONNECTED(00000003)
---
Certificate chain
0 s:C = DE, ST = [...] , L = [...], O = [...], OU = [...], CN = servername
i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
3 s:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=C = DE, ST = [...], L = [...], O = [...], OU = ZIM, CN = servername
issuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
---
No client certificate CA names sent
---
SSL handshake has read 6350 bytes and written 646 bytes
Verification: OK
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 784AA6227F60CD0669E24514EC6CE5886A07FA3FBCFA98D28B52F2E7EC0B1798
Session-ID-ctx:
Master-Key: EBAD5349853ECBB198D2DD0C55072D0330C7F7E205500A3FD15649FC2FC999E0A909BD3B7FFC9E279CC19272621B172F
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1561115979
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://mupdate.servername/ AUTH=LOGIN AUTH=PLAIN SASL-IR] mupdate.servername Cyrus IMAP4 (Murder) v2.3.7-Invoca-RPM-2.3.7-16.el5_11 server ready
Last edited by fredson (2019-06-21 15:36:30)
Offline
Protocol : TLSv1
Eeewww…
http://www.mutt.org/doc/manual/#ssl-use-tlsv1
If you have *any* impact on the server (ie. if you can eg. threaten the admin with a butter knife) please fix the server instead.
Offline
I stopped short from stabbing the admin bc this also works
set ssl_use_tlsv1.2 = yes
My fault, no, indeed, just the following works:
set ssl_use_tlsv1 = yes
Last edited by fredson (2019-06-21 15:54:58)
Offline
http://www.mutt.org/doc/manual/#ssl-use-tlsv1-2 ?
That's supposed to default to yes, did you disable it?
Offline
He didn't suggest stabbing, specifically. Perhaps he needs to be "buttered up" to request a change.
But it seems the broadcast was vague: using 1.0 would not be wise, but 1.2 is fine.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
I changed my post and indeed only 1.0 works . It may well be an unintended change in the server's config.
Offline
Time for the butter knife then.
Still more civil than a spoon.
Offline