Re: [Nmh-workers] TLS with smtp not working for me

[Ken Hornstein]

>[BHST] TLS negotiation failed: error:14077102:SSL 
>routines:SSL23_GET_SERVER_HELLO:unsupported protocol

Okay, so I dug into this a bit.  Things are working as intended!  At least
for some definition of "intended".

The key change that affected you was the following bit of code in
sbr/netsec.c:

            SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
                                SSL_OP_NO_TLSv1);

Well, actually, as with most things involving openssl, it's a little more
complicated than that.  The previous code used TLSv1_client_method(), but
that meant that you would ONLY negotiate TLS 1.0.  The current portable
recommendation is to use SSLv23_client_method(), and disable what you don't
want.  And so obviously we want to disable SSLv2 and SSLv3, and when I wrote
that code it sure seems like TLS 1.0 was on the way out so I disabled that
one as well.

After some experimentation with openssl s_client, it seems that the
highest level of TLS that the server smtp.uu.se supports is TLS 1.0!
Which is actually kind of surprising to me.  That seems ... wrong,
somehow?  But anway, if you remove the SSL_OP_NO_TLSv1 in abovementioned
line, I think everything will work fine.

I am kind of torn about this.  The stuff I have been seeing is that most
everybody should be moving to TLS 1.1 or greater, and I thought all of
the servers out there had supported this a long time ago.  What do others
think?

--Ken