Debian 10 made some updates to requirements for TLS connections,
specifically the minimum TLS version was sat to TLS 1.2 and there is now
a check for (I think) some Diffie-Hellman keylength parameters. This has
caused problems. See
https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
The quick-and-dirty solution is to change /etc/ssl/openssl.cnf and
change the line
CipherString = DEFAULT at SECLEVEL=2
to have a SECLEVEL=1 instead (this was the setting until Debian 10).
Of course, you should check up on the certificates and TLS settings on
the servers that are flagged as in error, but at least this will revert
to the behaviour before the upgrade.
Regards,
Henrik
Damien Martins skrev den 22-11-2019 10:53:
Hi,
Since I upgraded a system to Debian 10 running Xymon client 4.3.28, my Xymon server (running version 4.3.28 on Debian 10) reports errors for IMAPS & POP3S tests.
This is weird, because I have another server, running Xymon 4.3.28 too, that is not reporting any issue.
My IMAPS & POPS3S daemon is dovecot 2.3.4.1-5+deb10u1
It is quiet complicated to find the logs for this test, so I don't know what is going wrong.
Sometimes, the test goes green for few minutes.
I tried configuring fail2ban to whitelist my Xymon server IP, and set dovecot to allow a large amount of connections, but this did not change anything.
Any help to investigate or locate IMAPS test logs would be appreciated.