Hello, Am Sonntag, 5. Februar 2023, 16:50:54 CET schrieb Arjen de Korte:

...

I noticed openssl-1_1 is involved, isn't it newly introduced in Tumbleweed? No, this is fallout from a change in AppArmor and requires changes to

Citeren Freek de Kruijf <freek@opensuse.org>: the usr.lib.dovecot.imap-login (and usr.lib.dovecot.pop3-login).

The AppArmor profiles for dovecot didn't change recently, therefore I'd say that it's caused by a change in dovecot or even openssl ;-) Actually it is a change in openssl: # rpm -q --changelog openssl-1_1 | head * Mi Dez 14 2022 Pedro Monreal <pmonreal@suse.com> - Set OpenSSL 3.0 as the default openssl [bsc#1205042] * For compatibility with OpenSSL 3.0, the OpenSSL master configuration file openssl.cnf has been renamed to openssl-1_1.cnf. The executables openssl, c_rehash, CA.pl and tsget.pl have been also renamed to openssl-1_1, c_rehash-1_1, CA-1_1.pl and tsget-1_1.pl, respectively.

...

Filed a bug report: https://bugzilla.opensuse.org/show_bug.cgi?id=1207911 Patch and workaround added to this bug and SR#1063271 will fix this.

Thanks, but I'm afraid I'll have to decline your SR ;-) It would work, but it would make the profile too permissive. Especially allowing to read ssl certificates and keys are things I'd like to avoid unless it's really needed. If I get your error message (and what I see on my own system) right, then dovecot "only" needs to read /etc/ssl/openssl-1_1.cnf. Therefore the better fix is to add /etc/ssl/openssl-1_1.cnf r, to the dovecot-imap-login and dovecot-pop3-login profiles. Actually it would be even better to add it to abstractions/openssl. If you want a hotfix that doesn't cause *.rpmnew files: echo '/etc/ssl/openssl-1_1.cnf r,' > \ /etc/apparmor.d/abstractions/openssl.d/boo1207911 rcapparmor reload I just submitted SR 1063514, so the fix should arrive in Tumbleweed soon. Regards, Christian Boltz -- By basic sanity check I meant error/warning messages which can be understood by mere simple human beings from planet earth [Cristian Rodríguez in opensuse-packaging]

On Thu, Feb 09, 2023 at 10:26:08AM +0100, Freek de Kruijf wrote:

Op zondag 5 februari 2023 15:19:36 CET schreef u:

...

After Tumbleweed upgrading to 20230202 dovecot starts up OK, but KMail does not connect anymore. The error messages, when attempting to connect are:

Now the error messages are:

2023-02-09T10:21:45.262522+01:00 eiktum dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:0A00018F:SSL routines::ee key too small: user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<FFza6ED0Asp/AAAB> 2023-02-09T10:21:45.262704+01:00 eiktum dovecot: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<FFza6ED0Asp/AAAB> 2023-02-09T10:21:45.284342+01:00 eiktum dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:0A00018F:SSL routines::ee key too small: user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<V7La6ED0EMp/AAAB> 2023-02-09T10:21:45.284467+01:00 eiktum dovecot: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<V7La6ED0EMp/AAAB>

"key too small" ... How many bits has your key? Ciao, Marcus

On Thu, Feb 9, 2023 at 10:11 AM Freek de Kruijf <freek@opensuse.org> wrote:

openssl x509 -subject -fingerprint -nout -in <old crt key> gives an error Unknown digest 4087FDCA007F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (nout : 0), Properties (<null>)

It aint worth it anymore either way.. I strongly recommend you to issue certs with something like https://github.com/cloudflare/cfssl that by default will do ECC keys instead, which is faster/cheaper for both Alice and Bob.