Some people were reporting that an IMAP server wasn’t working on their Mac. It was working from linux machines, and from Thunderbird on all OSes. From Macs I was getting this testing from the command line:
$ openssl s_client -connect <my-imap-server>:993 CONNECTED(00000003) 39458:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/ssl/s23_clnt.c:593:
This led me to a recent
libssl package upgrade on my server (to version 1.1.0f-4). Checking the changelogs I found this:
* Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS version. This will likely break things, but the hope is that by the release of Buster everything will speak at least TLS 1.2. This will be reconsidered before the Buster release.
Ah-ha! To quickly get back up and running I grabbed the old version from http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.0f-3_amd64.deb and installed it (and then held the package so it wouldn’t auto-upgrade).
I do hope Debian reconsiders this change, at least in the short term, since I can’t easily force OS upgrades to everyone that uses this server. Ideally Apple would update their old OSes to support TLS 1.2, but I’m not holding my breath.